You can preselect audit classes that contain the events that you want to monitor. Events that are not in preselected classes are not recorded.
Before You Begin
You must become an administrator who is assigned the Audit Configuration rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
$ pfbash ; auditconfig -getflags ...
$ auditconfig -getnaflags ,,,
For an explanation of the output, see Displaying Audit Service Defaults.
For example, the following command audits the events in the login/logout, process start/stop, and file write classes for success and for failure.
$ auditconfig -setflags lo,ps,fw user default audit flags = ps,lo,fw(0x101002,0x101002)
The na class contains PROM, boot, and non-attributable mounts, among other events.
$ auditconfig -setnaflags lo,na non-attributable audit flags = lo,na(0x1400,0x1400)
lo and na are the only useful arguments to the –setnaflags option.