Events in an audit class can be audited for success, for failure, and for both.
Without a prefix, a class of events is audited for success and for failure.
With a plus (+) prefix, a class of events is audited for success only.
With a minus (-) prefix, a class of events is audited for failure only.
To modify a current preselection, add a caret (^) preceding a prefix or an audit flag. For example:
If ot is preselected for the system, and a user's preselection is ^ot, that user is not audited for events in the other class.
If +ot is preselected for the system, and a user's preselection is ^+ot, that user is not audited for successful events in the other class.
If -ot is preselected for the system, and a user's preselection is ^-ot, that user is not audited for failed events in the other class.
To review the syntax of audit class preselection, see the audit_flags(5) man page.
The audit classes and their prefixes can be specified in the following commands:
As arguments to the auditconfig command options –setflags and –setnaflags.
As values for the p_flags attribute to the audit_syslog plugin. You specify the attribute as an option to the auditconfig -setplugin audit_syslog active command.
As values for the –K audit_flags=always-audit-flags:never-audit-flags option to the useradd, usermod, roleadd, and rolemod commands.
As values for the –always_audit and –never_audit properties of the profiles command.