The Solaris OS can audit all logins, independent of source.
Audit the lo class for attributable and for non-attributable events.
This class audits logins, logouts, and screen locks.
## audit_control file flags:lo naflags:lo ... |
To audit ssh logins, your Solaris system must be running the Solaris ssh daemon. This daemon is modified for Solaris auditing. For more information, see Solaris Secure Shell and the OpenSSH Project.