Site security policy often requires that you audit administrative actions. The 116:AUE_PFEXEC:execve(2) with pfexec enabled:ps,ex,ua,as audit event captures these actions. The cusa metaclass, which provides a group of events that is appropriate for use with roles, is another option when auditing administrative actions. For more information, review the comments in the /etc/security/audit_class file.
Example 5-5 Using Two Roles to Configure AuditingIn this example, two administrators implement the audit configuration plan of their site security officer. The plan is to use the pf class for all users, and specify the cusa metaclass for individual roles. The root role will assign the audit flags to the roles. The first administrator configures auditing and the second enables the new configuration.
The first administrator is assigned the Audit Configuration rights profile. This administrator views the current audit configuration:
# auditconfig -getflags active user default audit flags = lo(0x1000,0x1000) configured user default audit flags = lo(0x1000,0x1000)
Because the pf class does not include the lo class, the administrator adds the class to the system configuration.
# auditconfig -setflags lo,pf
To read the new audit configuration into the kernel, the administrator who is assigned the Audit Control rights profile refreshes the audit service.
# audit -s