System Administration Guide: Security Services

Audit Class Syntax

Events can be audited for success, events can be audited for failure, and events can be audited for both. Without a prefix, a class of events is audited for success and for failure. With a plus (+) prefix, a class of events is audited for success only. With a minus (-) prefix, a class of events is audited for failure only. The following table shows some possible representations of audit classes.

Table 31–2 Plus and Minus Prefixes to Audit Classes

[prefix]class

Explanation 

lo

Audit all successful attempts to log in and log out, and all failed attempts to log in. A user cannot fail an attempt to log out. 

+lo

Audit all successful attempts to log in and log out. 

-all

Audit all failed events. 

+all

Audit all successful events. 


Caution – Caution –

The all class can generate large amounts of data and quickly fill audit file systems. Use the all class only if you have extraordinary reasons to audit all activities.


Audit classes that were previously selected can be further modified by a caret prefix, ^. The following table shows how the caret prefix modifies a preselected audit class.

Table 31–3 Caret Prefix That Modifies Already-Specified Audit Classes

^[prefix]class

Explanation 

-all,^-fc

Audit all failed events, except do not audit failed attempts to create file objects 

am,^+aa

Audit all administrative events for success and for failure, except do not audit successful attempts to administer auditing

am,^ua

Audit all administrative events for success and for failure, except do not audit user administration events 

The audit classes and their prefixes can be used in the following files and commands:

See audit_control File for an example of using the prefixes in the audit_control file.