man pages section 4: File Formats

audit_user(4)

NAME

audit_user– per-user auditing data file

SYNOPSIS

/etc/security/audit_user

DESCRIPTION

audit_user is an access-restricted plain text system file that stores per-user auditing preselection data. The audit_user file can be used with other authorization sources, including the NIS+ audit_user table . Programs use the getauusernam(3BSM) to access this information.

The search order for audit_user sources follows the order specified for passwd(4) in the nsswitch.conf(4) file. No entry should be made for audit_user.

The fields for each user entry are separated by colons (:).. Each user is separated from the next by a newline. audit_user does not have general read permission.

Each entry in the audit_user database has the form:

username:always-audit-flags:never-audit-flags

The fields are defined as follows:

username: The user's login name.
always-audit-flags: Flags specifying event classes to always audit.
never-audit-flags: Flags specifying event classes to never audit.

For a complete description of the audit flags and how to combine them, see the audit_control(4) man page.

Note –

The default permissions on the audit_user NIS+ table in the Trusted Solaris operating environment are restrictive. Therefore, normal users on NIS+ clients that are not running the Trusted Solaris operating environment and are not using the TSIX protocol cannot read the audit_user NIS+ table.

The preferred workaround for such clients is to use the local audit_user file. Alternatively, the NIS+ permissions on the audit_user table could be changed to be less restrictive.

EXAMPLES

Example 1 Sample audit_user File

        other:lo,ad:io,cl
        freda:lo,ex,+fc,-fr,-fa:io,cl
        ethel:lo,ex,nt:io,cl

FILES

/etc/nsswitch.conf: Configuration file for the name service switch
/etc/security/audit_user: Per-user auditing data file.
/etc/passwd: Per-machine user password file.

SUMMARY OF TRUSTED SOLARIS CHANGES

By default, auditing is enabled in the Trusted Solaris environment. See Trusted Solaris Audit Administration for how to disable and enable auditing.

A Trusted Solaris NIS+ audit_user table can be used by NIS+ clients that are running the Trusted Solaris operating environment or the TSIX protocol. NIS+ clients that are running other operating environments should use their local audit_user file. Alternatively, the permissions on the Trusted Solaris NIS+ audit_user table can be relaxed.

Trusted Solaris 8 HW 12/02 Reference Manual

getauusernam(3BSM), audit_control(4), nsswitch.conf(4)

Trusted Solaris Audit Administration

SunOS 5.8 Reference Manual

passwd(4)

Trusted Solaris 8 HW 12/02 Last Revised 10 Jan 2003