The /etc/security/audit_user database modifies the system-wide preselected classes for an individual user. The classes that you add to a user's entry in the audit_user database modify the settings in the audit_control file in two ways:
By specifying audit classes that are always to be audited for this user
By specifying audit classes that are never to be audited for this user
Each user entry in the audit_user database contains three fields:
username:always-audit-classes:never-audit-classes |
The audit fields are processed in sequence.
The always-audit-classes field turns on the auditing of the classes in that field. Use this field to modify system-wide settings. For example, putting all in the always-audit-classes field audits everything for a user.
The never-audit-classes field turns off the auditing of the classes in that field. Use this field to override system settings. Putting all in the never-audit-classes field turns off all auditing for the user, even the audit classes that are specified in the audit_control file.
Suppose that you want to apply the system-wide audit settings to the user tamiko, except for successful reads of file system objects. Note the placement of the second colon (:) in the following audit_user entry:
tamiko:^+fr:no modify system defaults for fr |
The preceding entry means, “always audit everything, except for successful file reads.”
If you want to audit everything for user tamiko with the exception of successful file reads, you use the following entry:
tamiko:all,^+fr:no audit everything except fr |
Suppose that you want to override system defaults for successful file-reads for user tamiko. The following entry means “always audit everything, but never audit successful file reads.”
tamiko:all:+fr override system defaults for fr |
Successful events and failed events are treated separately. A process could generate more audit records for failed events than for successful events.