Audit Flag Syntax
Depending on the prefixes, a class of events can be audited whether it succeeds or fails, or only if it succeeds or only if it fails. The format of the audit flag is shown here.
prefixflag -lo # audit for failure +lo # audit for success lo # audit for success and failure
The audit flag +lo means “all successful attempts to log in and log out”. The audit flag -lo means “all failed attempts to log in”. (You cannot fail an attempt to logout.). The audit flag lo means “all successful attempts to log in and log out and all failed attempts to log in”.
Note –
The audit class xs should not be audited for failure. Failures will place a lot of noise in the audit trail. The correct audit flag syntax would be +xs. See the audit_class(4) file for more information on X server audit classes.
For another example, the +all flag refers to all successful attempts of any kind.
Caution – The all flag can generate large amounts of data and fill up audit file systems quickly, so use it only if you have extraordinary reasons to audit everything.
The following table shows prefixes that specify whether the audit class is audited for success or failure or both.
Table 1–2 Prefixes Used in Audit Flags|
Prefix |
Definition |
|---|---|
|
none |
Audit for both success and failure |
|
+ |
Audit for success only |
|
- |
Prefixes to Modify Previously Set Audit Flags
Use the modification prefixes in any of three ways: in the flags line in the audit_control(4) file to modify already-specified flags, as flags in the user's entry in the audit_user(4) file, or as arguments to the auditconfig(1M) command.
The prefixes in Table 1–3 along with audit flags, turn on or turn off previously specified audit classes. These prefixes turn on or off previously specified flags only.
Table 1–3 Prefixes Used to Modify Already-Specified Audit Flags|
Prefix |
Definition |
|---|---|
|
^- |
Turn off for failed attempts |
|
^+ |
Turn off for successful attempts |
|
^ |
Turn off for both failed and successful attempts |
The ^- prefix is used in the flags line in the following example from an audit_control file.
flags:lo,ad,-all,^-fc
- © 2010, Oracle Corporation and/or its affiliates