To Change Audit Flags Dynamically

The auditconfig(1M) command enables you to change audit flags dynamically, such as adding extra flags to a user, a session, or a process while the user, session, or process is active. Since the flags are added dynamically, they are in effect until the user logs out, the session ends, or the process ends.

The security administrator sets or changes audit policy. Policy changes are set at the label admin_low.

To set a particular user to be additionally audited for successful file reads:

$ auditconfig -setumask audit_user_id +fr

To set a particular session to be additionally audited for failed file attribute access:

$ auditconfig -setsmask audit_session_id -fa

To set a particular process to be additionally audited for successful and unsuccessful file attribute modifications:

$ ps -ef | grep application-to-be-monitored
$ auditconfig -setpmask process_id fm

Previous: To Set Audit Policy Temporarily
Next: To Stop the Audit Daemon