test

System Administration Guide: Security Services

ProcedureHow to Modify a User's Preselection Mask

If you modify the audit_control or audit_user file, the preselection mask of users who are already logged in does not change. You must force the preselection mask to change.

Before You Begin

You enabled auditing, users logged in, and then you changed the value of flags or naflags in the audit_control file. You want the users who are already logged in to be audited for these newly selected audit classes.

  1. Update the preselection mask of users who are already logged in.

    You have two options. You can terminate the existing sessions or use the auditconfig command to update the users' preselection masks.

    • Terminate the users' existing sessions.

      Users can log out and log back in, or the administrator can manually terminate (kill) active sessions. The new sessions will inherit the new preselection mask. However, terminating users could be impractical.

    • Dynamically change each user's preselection mask.

      Assume that the flags attribute in the audit_control file was changed from lo to lo,ex.

      1. Determine the user's audit ID and audit session ID.

        First, find all regular users. In the following example, the administrator finds all processes that are not owned by root, daemon, or lp:


        # /usr/bin/pgrep -v -u root,daemon,lp | more 
..
3941
3948
3949
10640 ...

        Then, use one of the user's processes to find the user's audit ID:


        # auditconfig -getpinfo 3941
audit id = jdoe(1002)
process preselection mask = lo(0x1000,0x1000)
terminal id (maj,min,host) = 9426,65559,mach1(192.168.123.234)
audit session id = 713

        Note that the user's preselection mask includes the lo class and does not include the newly added ex class.

      The user's audit ID is 1002. The user's audit session ID is 713.

  2. Change the user's preselection mask

    Use one of the following two methods:

    • Use the user's audit session ID to change the user's preselection mask.


      # /usr/sbin/auditconfig -setsmask lo,ex 713

    • Use the user's audit ID to change the user's preselection mask.


      # /usr/sbin/auditconfig -setumask lo,ex 1002

  3. Verify that the preselection mask has changed.


    # auditconfig -getpinfo 3941
audit id = jdoe(1002)
process preselection mask = ex,lo(0x40001000,0x40001000) 
terminal id (maj,min,host) = 9426,65559,mach1(192.168.123.234)
audit session id = 713