When you create your own audit class, you can place into it just those audit events that you want to audit for your site. When you add the class on one system, you should copy the change to all systems that are being audited.
Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
(Optional) Save a backup copy of the audit_class file.
# cp /etc/security/audit_class /etc/security/audit_class.orig
Add new entries to the audit_class file.
Each entry has the following format:
Identifies number as hexadecimal.
Defines the unique audit class mask.
Defines the letter name of the audit class.
Defines the descriptive name of the audit class.
The entry must be unique in the file. Do not use existing audit class masks.
This example creates a class to hold a small set of audit events. The added entry to the audit_class file is as follows:
The entry creates a new audit class that is called pf. Example 30–11 populates the new audit class.
If you have customized the audit_class file, make sure that any modifications to audit_user are consistent with the new audit classes. Errors occur when the audit classes in audit_user are not a subset of the audit_class database.