The specifications for auditing at a site are stored in these configuration files, which reside in the /etc/security subdirectory:
audit_control(4)--stores audit control information used by the audit daemon, including the preferred order of directories where audit information is stored (the audit daemon uses a directory until the minimum free space warning limit is reached, at which point it stores audit records in the next directory in the list), minimum free space warning limit, system-wide audit flags indicating classes to be audited, and special audit flags for events that cannot be attributed to specific users. The audit flags set in this file are applied to all users. Any exceptions to these flags are set on a per-user basis and specified in the audit_user file, which is modified using the User Accounts tool in SMC.
audit_user(4)--stores auditing criteria for users who are exceptions to the auditing specifications in audit_control. This information includes user name, events that are always to be audited, and events that are never to be audited.
audit_class(4)--stores audit class definitions, including the class mask (that is, the filter that determines which classes are to be tracked), class name, and description.
audit_event(4)--stores audit event information, including event number, event name, description, and audit flags identifying the audit class.
If you are setting up auditing for a network, there must be identical versions of the audit_class, and audit_event files on each workstation. Use the SMC to update the audit_user site-wide NIS maps and NIS+ tables..