events File
Purpose
Contains information about system audit events.
Description
The /etc/security/audit/events file is an ASCII stanza file that contains information about audit events. The file contains just one stanza, auditpr, which lists all the audit events in the system. The stanza also contains formatting information that the auditpr command needs to write an audit tail for each event.
Each attribute in the stanza is the name of an audit event, with the following format:
AuditEvent = FormatCommand
The root users can edit the events file using the vi editor. The comments in an events file begin with an asterisk sign (*).
The format command can have the following parameters:
| Parameter | Description |
|---|---|
| (empty) | The event has no tail. |
| printf Format | The tail is formatted according to the string supplied for the Format parameter. The %x symbols within the string indicate places for the audit trail to supply data. |
| Program -i n Arg ... | The tail is formatted by the program specified by the Program parameter. The -i n parameter is passed to the program as its first parameter, indicating that the output is to be indented by n spaces. Other formatting information can be specified with the Arg parameter. The audit event name is passed as the last parameter. The tail is written to the standard input of the program. |
Audit Event Formatting Information
| Format | Description |
|---|---|
| %A | Formatted output is similar to the aclget command. |
| %c | Format a single byte as a character. |
| %D | Formatted as a device major and minor number. |
| %d | Formatted as a 32-bit signed decimal integer |
| %G | Formatted as a comma-separated list of group names or numerical identifiers. |
| %L | Formatted as a text string which describes the identity associated with an Internet socket and the socket itself. |
| %ld | Formatted as a 64-bit signed decimal integer |
| %lo | Formatted as a 64-bit octal value. |
| %lx | %lx Formatted as a 64-bit hexadecimal value. |
| %lX | Formatted as a 64-bit hexadecimal value with uppercase letters. |
| %o | Formatted as 32-bit octal integer. |
| %P | Formatted output is similar to the pclget command. |
| %S | Formatted as a text string which describes an Internet socket. |
| %s | Formatted as a text string. |
| %T | Formatted as a text string giving include date and time with 6 significant digits for the seconds DD Mmm YYYY HH:MM:SS:mmmuuu). |
| %u | Formatted as a 32-bit unsigned integer. |
| %x | Formatted as a 32-bit hexadecimal integer. |
| %X | Formatted as a 32-bit hexadecimal integer with upper case letters. |
| %% | A single '%' character. |
Security
Access Control: This file should grant read (r) access to the root user and members of the audit group, and grant write (w) access only to the root user.
Examples
To format the tail of an audit record for new audit events, such as FILE_Open and PROC_Create, add format specifications like the following to the auditpr stanza in the /etc/security/audit/events file:
auditpr:
FILE_Open = printf "flags: %d mode: %o \
fd: %d filename: %s"
PROC_Create = printf "forked child process %d"
Files
| Item | Description |
|---|---|
| /etc/security/audit/events | Specifies the path to the file. |
| /etc/security/audit/config | Contains audit system configuration information. |
| /etc/security/audit/objects | Contains information about audited objects. |
| /etc/security/audit/bincmds | Contains auditbin backend commands. |
| /etc/security/audit/streamcmds | Contains auditstream commands. |