System Administration Guide: Security Services

ProcedureHow to Update the Audit Service

This procedure restarts the auditd daemon when you have made changes to audit configuration files after the daemon has been running.

  1. Assume a role that includes the Audit Control rights profile, or become superuser.

    To create a role that includes the Audit Control rights profile and assign the role to a user, see Configuring RBAC (Task Map).

  2. Choose the appropriate command.

    • If you modify the naflags line in the audit_control file, change the kernel mask for nonattributable events.

      $ /usr/sbin/auditconfig -aconf

      You can also reboot.

    • If you modify other lines in the audit_control file, reread the audit_control file.

      The audit daemon stores information from the audit_control file internally. To use the new information, either reboot the system or instruct the audit daemon to read the modified file.

      $ /usr/sbin/audit -s

      Note –

      Audit records are generated based on the audit preselection mask that is associated with each process. Executing audit -s does not change the masks in existing processes. To change the preselection mask for an existing process, you must restart the process. You can also reboot.

      The audit -s command causes the audit daemon to re-read the directory and minfree values from the audit_control file. The command changes the generation of the preselection mask for processes spawned by subsequent logins.

    • If you modify the audit_event file or the audit_class file while the audit daemon is running, refresh the audit service.

      Read the modified event-class mappings into the system, and ensure that each user who uses the machine is correctly audited.

      $ auditconfig -conf
      $ auditconfig -setumask auid classes

      Is the user ID.


      Are the preselected audit classes.

      For an example, see How to Modify a User's Preselection Mask.

    • To change audit policy on a running system, see Example 30–17.

Example 30–23 Restarting the Audit Daemon

In this example, the system is brought down to single-user mode, then back up to multiuser mode. When the system is brought into multiuser mode, modified audit configuration files are read into the system.

# init S
# init 6