TAMOS has various audit levels to enable audit generation. trace_exec is one level.
trace_exec is a global audit level and enabling this level, allows you to audit program invocations initiated by the exec() system call. Remember that the exec() initiation should occur in processes that descend from a login event, which has been detected by TAMOS.
This level of auditing would generate a huge amount of data. You can limit the conditions using the trace_exec_l and trace_exec_root audit levels. Now, what's special about trace_exec? Nothing much. However, user 'osseal' has been endowed with special privileges, when it comes to trace_exec auditing. trace_exec does not audit osseal's activity.
More details about this, along with a simple test case:
In addition,the auditing behavior for cron jobs is also worth noting.
Cron jobs run by individual users will be audited by the AuditTrace facility if the user is Authenticated or Unauthenticated. The super user (root) cron jobs are not audited by the AuditTrace facility. More details along with a test case at: