The admhist command uses a new pe audit class that automatically tracks, through the lifetime of a process, the successful use of privilege. The audit record shows the privileges that enabled the process to change the system's configuration.
By default, only successful use of privilege is monitored.
To include failed use of privilege in your audit reports, use the following auditconfig subcommands to modify which privileges are monitored and whether to monitor success or failure:
–setfprivs – Sets the privileges to monitor for failure
–setsprivs – Sets the privileges to monitor for success
–getfprivs – Displays the privileges to monitor for failed use
–getsprivs – Displays the privileges to monitor for successful use
$ auditconfig -setsprivs privileges -t
Similarly, to display only the temporary settings, add –t to the getsprivs or getfprivs options.
To add specific privileges to the existing settings, include a plus as follows:
...setsprivs +privileges
To remove specific privileges, include a minus as follows:
...setsprivs -privileges
Use the following command to view successful events and failed events that you are auditing with pe:
$ auditreduce -m AUE_CMD_PRIVS | praudit
For more information, see the auditconfig(8) and auditreduce(8) man pages.