you auditd config should like the following:
run
/etc/security/bsmconv
make sure the /etc/system has been update
(set c2audit:audit_load = 1)
reboot
vi audit_startup
/usr/bin/echo "Starting BSM services."
/usr/sbin/auditconfig -conf
/usr/sbin/auditconfig -aconf
/usr/sbin/auditconfig -setpolicy +argv
Add the following class to you /etc/security/audit_class
0x08000000:cc:CIS custom class
vi the audit_event
find entry 23 and add cc, just like the following entry:
23:AUE_EXECVE:execve(2)
s,ex,cc
vi audit_control
make sure that you have the following lines:
dir:/var/audit
flags:lo,ad,cc
minfree:20
naflags:lo
vi audit_user
where userX is the name of the user you want to audit.
userX:lo:no
userX:lo,ad,cc,exec,all
userX:lo,ad,cc,exec,al
to get any reading from your logs use the below command:
auditreduce -c lo /var/audit/20070329110000.not_terminated.*servername* |praudit
and that will give you what you want !!
good luck.