To audit some users differently from others, you can edit the /etc/security/audit_user file to add audit flags for individual users. If specified, these flags are combined with the system-wide flags in the audit_control file to determine which classes of events to audit for that user. The flags that you add to the user's entry in the audit_user file modify the defaults from the audit_control file in two ways:
By specifying event classes that are always to be audited for this user
By specifying event classes that are never to be audited for this user
Each user entry in the audit_user file contains three fields.
The username field
The always-audit field
The never-audit field
The audit fields are processed in sequence. The always-audit field turns on the auditing of the classes in that field. The never-audit field turns off the auditing of the classes in that field.
Avoid the common mistake of leaving the all audit flag in the never-audit field. This mistake causes all auditing to be turned off for that user, which overrides the flags that are set in the always-audit field. The flag also overrides machine-wide audit flags set in the audit_control file.
The never-audit flags for a user override the system defaults. You might not want to overrride system defaults. For example, suppose you want to audit everything for user tamiko for except for successful reads of file system objects. This strategy audits almost everything for a user. However, the strategy generates about three-quarters of the audit data that would be produced if all data reads were audited. You also want to apply the system defaults to tamiko. Here are two possible audit_user entries:
The correct entry:
tamiko:all,^+fr: |
The incorrect entry:
tamiko:all:+fr |
The first example means, “always audit everything except for successful file-reads.” The second example means, “always audit everything, but never audit successful file-reads.” The second example is incorrect because the never-audit field would override the system defaults. The first example achieves the desired effect: the always-audit flags include the exception to the all flag. Since no flag is in the never-audit field, the system defaults from the audit_control file are not overridden here.
Successful events and failed events are treated separately. A process could generate more audit records when an error occurs than when an event is successful.