This procedure restarts the auditd daemon when you have made changes to audit configuration files after the daemon has been running.
Assume a role that includes the Audit Control rights profile, or become superuser.
To create a role that includes the Audit Control rights profile and assign the role to a user, see Configuring RBAC (Task Map).
Choose the appropriate command.
If you modify the naflags line in the audit_control file, change the kernel mask for nonattributable events.
$ /usr/sbin/auditconfig -aconf |
You can also reboot.
If you modify other lines in the audit_control file, reread the audit_control file.
The audit daemon stores information from the audit_control file internally. To use the new information, either reboot the system or instruct the audit daemon to read the modified file.
$ /usr/sbin/audit -s |
Audit records are generated based on the audit preselection mask that is associated with each process. Executing audit -s does not change the masks in existing processes. To change the preselection mask for an existing process, you must restart the process. You can also reboot.
The audit -s command causes the audit daemon to re-read the directory and minfree values from the audit_control file. The command changes the generation of the preselection mask for processes spawned by subsequent logins.
If you modify the audit_event file or the audit_class file while the audit daemon is running, refresh the audit service.
Read the modified event-class mappings into the system, and ensure that each user who uses the machine is correctly audited.
$ auditconfig -conf $ auditconfig -setumask auid classes |
Is the user ID.
Are the preselected audit classes.
For an example, see How to Modify a User's Preselection Mask.
In this example, the system is brought down to single-user mode, then back up to multiuser mode. When the system is brought into multiuser mode, modified audit configuration files are read into the system.
# init S # init 6 |