Audit Control (Process Preselection Mask)

The process preselection mask specifies the audit classes to be audited by the process. To set up the preselection mask to audit for third-party events, edit the /etc/security/audit_control flag parameter as follows to audit events in the example (ec) class for success and failure.

flags:ec

Settings in audit_control(4) are global to all users in the system. To make a setting specific to a user, edit the /etc/security/audit_user file (the Audit Users action) as follows:

zelda:ec

See the audit_control(4) and audit_user(4) man pages for more information on these files and settings. Log out and log back in for the newly defined process preselection mask to take effect. You could also use auditconfig(1M) with the -setpmask option to set the process preselection mask on any existing processes, but it is probably easier to set one of these files and log out and log back in once.