The following audit characteristics are set at initial login:
Process preselection mask – A combination of the system-wide audit mask and the user-specific audit mask, if a user audit mask has been specified. When a user logs in, the login process combines the preselected classes to establish the process preselection mask for the user's processes. The process preselection mask specifies the events that generate audit records.
In addition, as described in the audit_flags(7) man page, the preselection can specify auditing only successful events, auditing only failed events, or auditing all events.
The following algorithm describes how the system obtains the user's process preselection mask:
(system-wide default flags + always-audit-classes) - never-audit-classes
Add the system-wide audit classes from the results of the auditconfig -getflags command to the classes from the always-audit-classes value for the user's always_audit keyword. Then, from the total, subtract the classes from the user's never-audit-classes. See also the audit_flags(7) man page.
Audit user ID – A process acquires an immutable audit user ID (auid) when the user logs in. This ID is inherited by all child processes that were started by the user's initial process. The audit user ID helps enforce accountability. Even after a user assumes a role, the audit user ID remains the same. The audit user ID that is saved in each audit record enables you to always trace actions back to the login user.
Terminal ID – For a local login, the terminal ID consists of the local system's IP address, followed by a device number that identifies the physical device on which the user logged in. Most often, the login is through the console. The number that corresponds to the console device is 0,0. For a remote login, the terminal ID consists of a the remote host's IP address followed by the remote port number and the local port number.