test

System Administration Guide: Security Services

ProcedureHow to Change a User's Audit Characteristics

Definitions for each user are stored in the audit_user database. These definitions modify, for the specified user, the preselected classes in the audit_control file. The nsswitch.conf file determines if a local file or if a naming service database is used. To calculate the user's final audit preselection mask, see Process Audit Characteristics.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. (Optional) Save a backup copy of the audit_user database.


    # cp /etc/security/audit_user /etc/security/audit_user.orig

  3. Add new entries to the audit_user database.

    In the local database, each entry has the following format:


    username:always-audit:never-audit
    username

    Selects the name of the user to be audited.

    always-audit

    Selects the list of audit classes that should always be audited for the specified user.

    never-audit

    Selects the list of audit classes that should never be audited for the specified user.

    You can specify multiple classes by separating the audit classes with commas.

    The audit_user entries are in effect at the user's next login.

Example 30–8 Changing Which Events Are Audited for One User

In this example, the audit_control file contains the preselected audit classes for the system:


## audit_control file
…
flags:lo,ss
naflags:lo,na

The audit_user file shows an exception. When the user jdoe uses a profile shell, that use is audited:


## audit_user file
jdoe:pf

The audit preselection mask for jdoe is a combination of the audit_user settings with the audit_control settings. The auditconfig -getaudit command shows the preselection mask for jdoe:


# auditconfig -getaudit
audit id = jdoe(1234567)
process preselection mask = ss,pf,lo(0x13000,0x13000)
terminal id (maj,min,host) = 242,511,example1(192.168.160.171)
audit session id = 2138517656
Example 30–9 Auditing Users Only, Not the System

In this example, the login and role activities of four users only are audited on this system. The audit_control file does not preselect audit classes for the system.


## audit_control file
…
flags:
naflags:

The audit_user file preselects two audit classes for four users, as follows:


## audit_user file
jdoe:lo,pf
kdoe:lo,pf
pdoe:lo,pf
sdoe:lo,pf

The following audit_control file records unwarranted intrusion. In combination with the audit_user file, this file protects the system more than the first audit_control file in this example.


## audit_control file
…
flags:
naflags:lo
plugin:name=...