- audit preselection flags
Audit flags specify which audit classes are to be audited for a process. Audit classes are defined in the audit_class(4) file and group together like audit events as defined in the audit_event(4) file. The default Solaris system-wide audit flags are configured as part of the audit service using auditconfig(1M). Additional per-user or per-role audit flags may be configured in the user_attr(4) database or in the profiles granted to the user by the audit_flags=always-audit-flags:never-audit-flags keyword. The audit flags of a process are called the preselection mask. The preselection mask is set at login and role assumption time by combining the default Solaris system-wide audit flags with the per-user audit flags (default flags + always-audit-flags) - never-audit-flags.
Audit flags are specified as a character string representing the audit class names to be audited. Each flag identifies an audit class and is separated by a comma (“,”) from others in the string. An audit class name preceded by “-” means that the class should be audited for failure only; successful attempts are not audited. An audit class name preceded by “+” means that the class should be audited for success only; failed attempts are not audited. Without a prefix, the audit class name indicates that the class is to be audited for both successes and failures. The special string “all” indicates that all audit events are to be audited; “-all” indicates that all failed attempts are to be audited and “+all” indicates that all successful attempts are to be audited. The prefixes “^”, “^-” and “^+” turn off flags specified earlier in the string (^- and ^+ for failed and successful attempts respectively, ^ for both). They are typically used to reset flags. The special string “no” indicates no audit events are to be audited.
例 1 Preselect to audit for successful and failed “lo” (login/logout), “am” (administration) audit events and all failed audit events except for failed “fm” (file attribute modify) events.
例 2 Preselect to audit for successful and failed “lo” (login/logout), “as” (system-wide administration) and failed “fm” (file attribute modify) events.