Use the following prefixes in any of three ways:
In the flags line in the audit_control file to modify already specified flags
In flags field in the user's entry in the audit_user file
With arguments to the auditconfig command
See the auditconfig(1M) man page.
The prefixes in the following table, along with the short names of audit classes, turn on or turn off previously specified audit classes.
Table 25–4 Prefixes Used to Modify Already-Specified Audit Flags
Prefix |
Definition |
---|---|
^- |
Turn off for failed attempts |
^+ | |
^ |
Turn off for both failed and successful attempts |
The ^- prefix is used in the flags line in the following example from an audit_control file.
In the following example, the lo and ad flags specify that all logins and administrative operations are to be audited when they succeed and when they fail. The -all means audit “all failed events.” Because the ^- prefix means “turn off auditing for the specified class for failed attempts,” the ^-fc flag modifies the previous flag that specified the auditing of all failed events. The two fields together mean: “audit all failed events, except for failed attempts to create file system objects.”
flags:lo,ad,-all,^-fc |