How to Change Users' Audit Characteristics

Definitions for each user can be stored in the /etc/security/audit_user file.

1. Become superuser or assume an equivalent role.

2. (Optional) Save a backup copy of the audit_user file.

   # cp /etc/security/audit_user /etc/security/audit_user.save

3. Add new entries to the audit_user file.

   Each entry has the following format:

   username:always:never
   

   username	Selects the name of the user to be audited
   always	Selects the list of audit classes that should always be audited
   never	Selects the list of audit classes that should never be audited

   You can specify multiple flags by separating the audit classes with commas. For more information about audit flags, see Audit Flags.

4. Make the new data available to the BSM service.

   To use the new data, either reboot the system, or have the user log out and back in again.

Example—Changing Auditing for One User

This example shows an entry that causes audit records to be generated any time that the user sue accesses any programs in the login class (lo).

# grep sue /etc/security/audit_user
sue:lo:

Example—Creating an Audit Admin Login

If all the audit partitions are full, then it could be impossible to log in to a host. If all logins are audited, then the fact that the audit partitions are full would prevent anyone from completing a login. To avoid this situation, you can set up a special login that is not audited. This new login would allow you to log in to the host even if the audit partitions are full. Then, you could fix the problem with the full partitions. In this example, the user auditadm is defined so that no auditing takes place.

# grep auditadm /etc/security/audit_user
auditadmin:no:yes

The user login that is selected to serve as the audit admin login might need to be monitored in another way.