Auditing specific processes on Solaris

Hi All!

I am tryinging to figure out how to audit specific processes on Solaris 7 & 8. Or to be more specific, I want a record of when a particular program is started and by whom. BSM is activated and I have looked through the Solaris doc, but I cannot figure out how to audit a specific program/process. Is this possible? If it is in the doc I would appreaciate a kick in the right direction where to look.

Regards,

jimmo

Have a look at the process stop/start class of audit
events i.e. audit class ps.

Wonderful. I'll take a look. Thanks!

Well, unfortunately I am still not there. I have an application that I want to monitor. That is, I want an audit record each time it is started by any one. So, in the audit_user file, I might have something like this:

other:pc:no
jimmo:pc:no
root:lo,pc:no

Which I interpret it to say that for root, audit login events and process events, also process events for jimmo and all other users. Well, here is where I stop. I can use praudit to look at the current audit log and see that it is logging process events. Including events for the process I am looking for. Unfortunately, I see all of the process events for this user. Some of which I really don't care about. What I really when to know is who starts a particular application and and when without all of the other process events.

Is there anyway of auditing just specific events or do I need to filter them from the audit log?

Regards,

jimmo