To Change Audit Flags Dynamically

The auditconfig(1M) command enables you to change audit flags dynamically, such as adding extra flags to a user, a session, or a process while the user, session, or process is active. Since the flags are added dynamically, they are in effect until the user logs out, the session ends, or the process ends.

To set a particular user to be additionally audited for successful file reads, as role secadmin at label admin_low:

$ auditconfig -setumask audit_user_id +fr

To set a particular session to be additionally audited for failed file attribute access, as role secadmin at label admin_low:

$ auditconfig -setsmask audit_session_id -fa

To set a particular process to be additionally audited for successful and unsuccessful file attribute modifications, as role secadmin at label admin_low:

$ ps -ef | grep application-to-be-monitored
$ auditconfig -setpmask process_id fm

Previous: To Set Audit Policy Temporarily
Next: To Stop the Audit Daemon