Each audit event belongs to an audit class. Audit classes are convenient containers for large numbers of audit events. When you preselect a class to be audited, all the events in that class are recorded in the audit queue. For example, when you preselect the ps audit class, execve(), fork(), and other system calls are recorded.
You can preselect for events on a system and for events initiated by a particular user.
User-specific preselection – Specify differences from the system-wide auditing defaults for individual users by configuring the audit flags for the user. The useradd, roleadd, usermod, and rolemod commands place the audit_flags security attribute in the user_attr database. The profiles command places audit flags for rights profiles in the prof_attr database.
The audit preselection mask determines which classes of events are audited for a user. For a description of the user preselection mask, see Process Audit Characteristics. For the configured audit flags that are used, see Order of Search for Assigned Rights in Securing Users and Processes in Oracle Solaris 11.2 .
Audit classes are defined in the /etc/security/audit_class file. Each entry contains the audit mask for the class, the name for the class, and a descriptive name for the class. For example, the lo and ps class definitions appear in the audit_class file as follows:
0x0000000000001000:lo:login or logout 0x0000000000100000:ps:process start/stop
The audit classes include the two global classes: all and no. The audit classes are described in the audit_class(4) man page. For the list of classes, read the /etc/security/audit_class file.
The mapping of audit events to classes is configurable. You can remove events from a class, add events to a class, and create a new class to contain selected events. For the procedure, see How to Change an Audit Event's Class Membership. To view the events that are mapped to a class, use the auditrecord -c class command.