To Add Audit Events

1. As role secadmin, at label admin_low, add audit events in the audit_event(4) file.

   1. Open the System_Admin folder from the Application Manager.

   2. Double-click the Audit Events action.

2. Add the events you planned in "Planning a Site-Specific Event-to-Class Mapping", write the file, and exit the editor.

   For events in more than one class, use a comma (no space) to delimit the classes.

   ---

   Note -

   Third-party applications can use the event numbers 32768 through 65536 only. See Table 1-1 for more information.

   ---

3. Make any changes to audit_control(4) and audit_user(4) to audit the events in the new classes.

   See "To Set Audit Flags" and "To Set User Exceptions to the Audit Flags" for details of the procedures.

   ---

   Note -

   On a distributed system, the audit_class, audit_event, audit_startup, and audit_user files must be identical on every workstation on the network. See "To Distribute Audit Configuration Files to a Network of Workstations" for a process to distribute master copies of files to all workstations on the network.

   ---

4. Reboot, or as secadmin in an admin_low profile shell, run the auditconfig(1M) command with appropriate options.

   In the following example, the audit session ID is 159, and the new events are in the classes gr (for graphic applications) and db (for databases applications).

   $ auditconfig -setsmask 159 gr,db