Current File : //usr/man/man5/audit_flags.5

'\" te
.\" Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved.
.TH audit_flags 5 "5 Jan 2012" "SunOS 5.11" "Standards, Environments, and Macros"
.SH NAME
audit_flags \- audit preselection flags
.SH DESCRIPTION
.sp
.LP
Audit flags specify which audit classes are to be audited for a process. Audit classes are defined in the \fBaudit_class\fR(4) file and group together like audit events as defined in the \fBaudit_event\fR(4) file. The default Solaris system-wide audit flags are configured as part of the audit service using \fBauditconfig\fR(1M). Additional per-user or per-role audit flags may be configured in the \fBuser_attr\fR(4) database or in the profiles granted to the user by the \fIaudit_flags\fR=\fIalways-audit-flags\fR:\fInever-audit-flags\fR keyword. The audit flags of a process are called the preselection mask. The preselection mask is set at login and role assumption time by combining the default Solaris system-wide audit flags with the per-user audit flags (default flags \fB+\fR \fIalways-audit-flags\fR) \fB-\fR \fInever-audit-flags\fR.
.sp
.LP
Audit flags are specified as a character string representing the audit class names to be audited. Each flag identifies an audit class and is separated by a comma (\fB,\fR) from others in the string. An audit class name preceded by \fB-\fR means that the class should be audited for failure only; successful attempts are not audited. An audit class name preceded by \fB+\fR means that the class should be audited for success only; failed attempts are not audited. Without a prefix, the audit class name indicates that the class is to be audited for both successes and failures. The special string "all" indicates that all audit events are to be audited; \fB-all\fR indicates that all failed attempts are to be audited and \fB+all\fR indicates that all successful attempts are to be audited.  The prefixes \fB^\fR, \fB^-\fR and \fB^+\fR turn off flags specified earlier in the string (\fB^-\fR and \fB^+\fR for failed and successful attempts respectively, \fB^\fR for both). They are typically used to reset flags. The special string \fBno\fR indicates no audit events are to be audited.
.SH EXAMPLES
.LP
\fBExample 1 \fRPreselect to audit for successful and failed "lo" (login/logout), "am" (administration) audit events and all failed audit events except for failed "fm" (file attribute modify) events.
.sp
.in +2
.nf
lo,am,-all,^-fm
.fi
.in -2
.sp

.LP
\fBExample 2 \fRPreselect to audit for successful and failed "lo" (login/logout), "as" (system-wide administration) and failed "fm" (file attribute modify) events.
.sp
.in +2
.nf
lo,as,-fm
.fi
.in -2
.sp

.SH SEE ALSO
.sp
.LP
\fBprofiles\fR(1), \fBauditconfig\fR(1M), \fBauditd\fR(1M), \fBusermod\fR(1M), \fBaudit_class\fR(4), \fBaudit_event\fR(4), \fBprof_attr\fR(4), \fBuser_attr\fR(4)
.sp
.LP
\fIManaging Auditing in Oracle Solaris 11.3\fR