|Skip Navigation Links|
|Exit Print View|
|Oracle Solaris Administration: Security Services Oracle Solaris 11 Information Library|
Oracle Solaris defines audit classes as convenient containers for large numbers of audit events.
You can reconfigure audit classes and make new audit classes. Audit class names can be up to 8 characters in length. The class description is limited to 72 characters. Numeric and non-alphanumeric characters are allowed. For more information, see the audit_class(4) man page and How to Add an Audit Class.
Events in an audit class can be audited for success, for failure, and for both.
Without a prefix, a class of events is audited for success and for failure.
With a plus (+) prefix, a class of events is audited for success only.
With a minus (-) prefix, a class of events is audited for failure only.
With a caret (^) preceding a prefix or an audit flag, a current preselection is modified. For example,
If ot is preselected for the system, and a user's preselection is ^ot, that user is not audited for events in the other class.
If +ot is preselected for the system, and a user's preselection is ^+ot, that user is not audited for successful events in the other class.
If -ot is preselected for the system, and a user's preselection is ^-ot, that user is not audited for failed events in the other class.
To review the syntax of audit class preselection, see the audit_flags(5) man page.
The audit classes and their prefixes can be specified in the following commands:
As arguments to the auditconfig command options -setflags and -setnaflags.
As values for the p_flags attribute to the audit_syslog plugin. You specify the attribute as an option to the auditconfig -setplugin audit_syslog active command.
As values for the -always_audit and -never_audit properties of the profiles command.