SunSHIELD Basic Security Module Guide

Prefixes to Modify Previously Set Audit Flags

Use the following prefixes in any of three ways: in the flags line in the audit_control file to modify already specified flags, in flags in the user's entry in the audit_user file, or with auditconfig (see the auditconfig(1M) man page).

The prefixes in the following table, along with the short names of audit classes, turn on or turn off previously specified audit classes. These prefixes only turn on or off previously specified flags.

Table 2-4 Prefixes Used to Modify Already-Specified Audit Flags

Prefix 

Definition 

^-

Turn off for failed attempts  

^+

Turn off for successful attempts

^

Turn off for both failed and successful attempts  

The ^- prefix is used in the flags line in the following example from an audit_control file.

In the sample screen below, the lo and ad flags specify that all logins and administrative operations are to be audited when they succeed and when they fail. The -all means audit "all failed events." Because the ^- prefix means "turn off auditing for the specified class for failed attempts," the ^-fc flag modifies the previous flag that specified auditing of all failed events; the two fields together mean "audit all failed events, except failed attempts to create file system objects."


flags:lo,ad,-all,^-fc