Audit Classes
Oracle Solaris defines audit classes as convenient containers for large numbers of audit events.
You can reconfigure audit classes and make new audit classes. Audit class names can be up to 8 characters in length. The class description is limited to 72 characters. Numeric and non-alphanumeric characters are allowed. For more information, see the audit_class(4) man page and How to Add an Audit Class.
 | Caution - The all class can generate large amounts of data and quickly fill disks. Use the all class only if you have extraordinary reasons to audit all activities. |
Audit Class Syntax
Without a prefix, a class of events is audited for success and for failure.
With a plus (+) prefix, a class of events is audited for success only.
With a minus (-) prefix, a class of events is audited for failure only.
To modify a current preselection, add a caret (^) preceding a prefix or an audit flag. For example:
If ot is preselected for the system, and a user's preselection is ^ot, that user is not audited for events in the other class.
If +ot is preselected for the system, and a user's preselection is ^+ot, that user is not audited for successful events in the other class.
If -ot is preselected for the system, and a user's preselection is ^-ot, that user is not audited for failed events in the other class.
Events in an audit class can be audited for success, for failure, and for both.
To review the syntax of audit class preselection, see the audit_flags(5) man page.
As arguments to the auditconfig command options –setflags and –setnaflags.
As values for the p_flags attribute to the audit_syslog plugin. You specify the attribute as an option to the auditconfig -setplugin audit_syslog active command.
As values for the –K audit_flags=always-audit-flags:never-audit-flags option to the useradd, usermod, roleadd, and rolemod commands.
As values for the –always_audit and –never_audit properties of the profiles command.
The audit classes and their prefixes can be specified in the following commands: