System Administration Guide: Security Services

audit_user Database

The /etc/security/audit_user database modifies the system-wide preselected classes for an individual user. The classes that you add to a user's entry in the audit_user database modify the settings in the audit_control file in two ways:

Each user entry in the audit_user database contains three fields:


The audit fields are processed in sequence.

Suppose that you want to apply the system-wide audit settings to the user tamiko, except for successful reads of file system objects. Note the placement of the second colon (:) in the following audit_user entry:

tamiko:^+fr:no  modify system defaults for fr

The preceding entry means, “always audit everything, except for successful file reads.”

If you want to audit everything for user tamiko with the exception of successful file reads, you use the following entry:

tamiko:all,^+fr:no  audit everything except fr

Suppose that you want to override system defaults for successful file-reads for user tamiko. The following entry means “always audit everything, but never audit successful file reads.”

tamiko:all:+fr    override system defaults for fr

Note –

Successful events and failed events are treated separately. A process could generate more audit records for failed events than for successful events.