events File
Purpose
Contains information about system audit events.
Description
The /etc/security/audit/events file is an ASCII stanza file that contains
information about audit events. The file contains just one stanza auditpr, which
lists all the audit events in the system. The stanza also contains formatting information that the
auditpr command needs to write an audit tail for each event.
Each attribute in the stanza is the name of an audit event, with the following
format:
AuditEvent = FormatCommand The root users can edit the events file by using the vi editor. The comments in
an events file begin with an asterisk sign (*).
The format command can take the following parameters:
| Parameter | Description |
|---|---|
| (empty) | The event has no tail. |
| printf Format | The tail is formatted according to the string supplied for the Format parameter. The %x symbols within the string indicate places for the audit trail to supply data. |
| Program -i n Arg ... | The tail is formatted by the program that is specified by using the Program parameter. The -i n parameter is passed to the program as its first parameter, indicating that the output must be indented by n spaces. Other formatting information can be specified with the Arg parameter. The audit event name is passed as the last parameter. The tail is written to the standard input of the program. |
Audit Event Formatting Information
| Format | Description |
|---|---|
| %A | Formatted output is similar to the aclget command. |
| %c | Format a single byte as a character. |
| %D | Formatted as a device major and minor number. |
| %d | Formatted as a 32-bit signed decimal integer. |
| %F | Formatted as an absolute path after any dot (.) or double
dots (..) in between the path are removed. |
| %G | Formatted as a comma-separated list of group names or numerical identifiers. |
| %L | Formatted as a text string that describes the identity that is associated with an Internet socket and the socket itself. |
| %ld | Formatted as a 64-bit signed decimal integer. |
| %lo | Formatted as a 64-bit octal value. |
| %lx | %lx Formatted as a 64-bit hexadecimal value. |
| %lX | Formatted as a 64-bit hexadecimal value with uppercase letters. |
| %o | Formatted as a 32-bit octal integer. |
| %P | Formatted output is similar to the pclget command. |
| %S | Formatted as a text string that describes an Internet socket. |
| %s | Formatted as a text string. |
| %T | Formatted as a text string that includes the date and time with 6 significant digits for the
seconds (DD Mmm YYYY HH:MM:SS:mmmuuu). |
| %u | Formatted as a 32-bit unsigned integer. |
| %x | Formatted as a 32-bit hexadecimal integer. |
| %X | Formatted as a 32-bit hexadecimal integer with uppercase letters. |
| %% | A single '%' character. |
Security
- Access Control
- This file must grant read (r) access to the root user and members of the audit group, and grant write (w) access only to the root user.
Examples
To format the tail of an audit record for new audit events, such as FILE_Open
and PROC_Create, add format specifications like the following to the
auditpr stanza in the /etc/security/audit/events file:
auditpr:
FILE_Open = printf "flags: %d mode: %o \
fd: %d filename: %s"
PROC_Create = printf "forked child process %d"
Files
| Item | Description |
|---|---|
| /etc/security/audit/events | Specifies the path to the file. |
| /etc/security/audit/config | Contains information about audit system configuration. |
| /etc/security/audit/objects | Contains information about audited objects. |
| /etc/security/audit/bincmds | Contains auditbin backend commands. |
| /etc/security/audit/streamcmds | Contains auditstream commands. |