Managing Auditing in Oracle® Solaris 11.2

Exit Print View

Updated: July 2014
 
 

Audit Class Syntax

    Events in an audit class can be audited for success, for failure, and for both.

  • Without a prefix, a class of events is audited for success and for failure.

  • With a plus (+) prefix, a class of events is audited for success only.

  • With a minus (-) prefix, a class of events is audited for failure only.

  • To modify a current preselection, add a caret (^) preceding a prefix or an audit flag. For example:

    • If ot is preselected for the system, and a user's preselection is ^ot, that user is not audited for events in the other class.

    • If +ot is preselected for the system, and a user's preselection is ^+ot, that user is not audited for successful events in the other class.

    • If -ot is preselected for the system, and a user's preselection is ^-ot, that user is not audited for failed events in the other class.

To review the syntax of audit class preselection, see the audit_flags(5) man page.

    The audit classes and their prefixes can be specified in the following commands:

  • As arguments to the auditconfig command options –setflags and –setnaflags.

  • As values for the p_flags attribute to the audit_syslog plugin. You specify the attribute as an option to the auditconfig -setplugin audit_syslog active command.

  • As values for the –K audit_flags=always-audit-flags:never-audit-flags option to the useradd, usermod, roleadd, and rolemod commands.

  • As values for the –always_audit and –never_audit properties of the profiles command.