If you modify the audit_control or audit_user file, the preselection mask of users who are already logged in does not change. You must force the preselection mask to change.
You enabled auditing, users logged in, and then you changed the value of flags or naflags in the audit_control file. You want the users who are already logged in to be audited for these newly selected audit classes.
Update the preselection mask of users who are already logged in.
You have two options. You can terminate the existing sessions or use the auditconfig command to update the users' preselection masks.
Terminate the users' existing sessions.
Users can log out and log back in, or the administrator can manually terminate (kill) active sessions. The new sessions will inherit the new preselection mask. However, terminating users could be impractical.
Dynamically change each user's preselection mask.
Assume that the flags attribute in the audit_control file was changed from lo to lo,ex.
First, find all regular users. In the following example, the administrator finds all processes that are not owned by root, daemon, or lp:
# /usr/bin/pgrep -v -u root,daemon,lp | more .. 3941 3948 3949 10640 ...
Then, use one of the user's processes to find the user's audit ID:
# auditconfig -getpinfo 3941 audit id = jdoe(1002) process preselection mask = lo(0x1000,0x1000) terminal id (maj,min,host) = 9426,65559,mach1(192.168.123.234) audit session id = 713
Note that the user's preselection mask includes the lo class and does not include the newly added ex class.
The user's audit ID is 1002. The user's audit session ID is 713.
Change the user's preselection mask
Use one of the following two methods:
Verify that the preselection mask has changed.
# auditconfig -getpinfo 3941 audit id = jdoe(1002) process preselection mask = ex,lo(0x40001000,0x40001000) terminal id (maj,min,host) = 9426,65559,mach1(192.168.123.234) audit session id = 713