How to Prevent the Auditing of Certain <meta http-equiv="refresh" content="0;url='http://www.oracle.com/pls/topic/lookup?ctx=solaris11'"> Events (System Administration Guide: Security Services)

System Administration Guide: Security Services

How to Prevent the Auditing of Certain Events

For maintenance purposes, sometimes a site wants to prevent audit events from being audited.

Change the class of the event to the no class.

For example, events 26 and 27 belong to the pm class.
## audit_event file ... 25:AUE_VFORK:vfork(2):ps 26:AUE_SETGROUPS:setgroups(2):pm 27:AUE_SETPGRP:setpgrp(2):pm 28:AUE_SWAPON:swapon(2):no ...
Change these events to the no class.
## audit_event file ... 25:AUE_VFORK:vfork(2):ps 26:AUE_SETGROUPS:setgroups(2):no 27:AUE_SETPGRP:setpgrp(2):no 28:AUE_SWAPON:swapon(2):no ...
If the pm class is currently being audited, existing sessions will still audit events 26 and 27. To stop these events from being audited, you must update the users' preselection masks.

Caution –
Never comment out events in the audit_event file. This file is used by the praudit command to read binary audit files. Archived audit files might contain events that are listed in the file.

To update the preselection masks of users, follow the instructions in How to Modify a User's Preselection Mask.

© 2010, Oracle Corporation and/or its affiliates