Audit flags specify which audit classes are to be audited for a process. Audit classes are defined in the audit_class(4) file and group together like audit events as defined in the audit_event(4) file. The default Solaris system-wide audit flags are configured as part of the audit service using auditconfig(1M). Additional per-user or per-role audit flags may be configured in the user_attr(4) database or in the profiles granted to the user by the audit_flags=always-audit-flags:never-audit-flags keyword. The audit flags of a process are called the preselection mask. The preselection mask is set at login and role assumption time by combining the default Solaris system-wide audit flags with the per-user audit flags (default flags + always-audit-flags) - never-audit-flags .
Audit flags are specified as a character string representing the audit class names to be audited. Each flag identifies an audit class and is separated by a comma (,) from others in the string. An audit class name preceded by - means that the class should be audited for failure only; successful attempts are not audited. An audit class name preceded by + means that the class should be audited for success only; failed attempts are not audited. Without a prefix, the audit class name indicates that the class is to be audited for both successes and failures. The special string “all” indicates that all audit events are to be audited; -all indicates that all failed attempts are to be audited and +all indicates that all successful attempts are to be audited. The prefixes ^, ^- and ^+ turn off flags specified earlier in the string (^- and ^+ for failed and successful attempts respectively, ^ for both). They are typically used to reset flags. The special string no indicates no audit events are to be audited.
lo,am,-all,^-fmExample 2 Preselect to audit for successful and failed “lo” (login/logout), “as” (system-wide administration) and failed “fm” (file attribute modify) events.