The system event mask applies to all nonexempt processes on the system and at a minimum always contains the fixed events. Selectable events may be added and deleted at the discretion of the administrator, but the fixed events cannot be altered. Audit criteria can be set before or after auditing is enabled.
The -s option of auditset is used to set the system wide audit criteria. The argument to the -s option, referred to as an event list, may consist of one or more events or event classes. If the event list contains more than one event, each item in the list must be separated by a comma.
Additionally, all and none may be used as event keywords. For the system event mask, all is defined to be the set of all fixed and selectable events and none is defined to be the set of all fixed events. Keyword(s) will be ignored if intermixed with events and event classes.
There are three valid operators that may precede an event list. Only one operator may be specified per event list. The following table describes the meaning of each operator.
Operators used in setting auditable events
|[no operator]||Replace the current set of auditable events with the ones listed.|
|+||Add the event(s) to the current set of auditable events.|
|-||Delete the event(s) from the current set of auditable events.|
|!||Audit all events except the event(s) listed.|
For example, if you want to add all events related to file creation
to the current
system-wide audit criteria
use the following command:
auditset -s +file_make
On the other hand, if you want
to delete all events related to file creation from
the current system wide audit criteria
type the following command:
auditset -s -file_make
If you want the system wide audit criteria to
contain only the kill and ulimit events,
enter the following command:
auditset -s kill,ulimit