You can also customize auditing to apply to users or profiles rather than to the entire system. Audit class preselections for each user are specified by the audit_flags security attribute. These user-specific values, plus the preselected classes for the system, determine the user's audit mask, as described in Process Audit Characteristics.
By preselecting classes on a per user basis rather than on a per system basis, you can sometimes reduce the impact of auditing on system performance. Also, you might want to audit specific users slightly differently from the system.
To configure auditing that applies to users or profiles, you use the following commands:
userattr displays the audit_flags value that is set for users. By default, users are audited for the system-wide settings only.
usermod -K sets flags that apply to users.
profile sets flags that apply to profiles.
For a description of the userattr command, see the userattr(1) man page. For a description of the audit_flags keyword, see the user_attr(5) and audit_flags(7) man pages.