The following audit characteristics are set at initial login:
Process preselection mask – A combination of the audit flags from the audit_control file and the audit_user file. When a user logs in, the login command combines the flags to establish the process preselection mask for the user's processes. The process preselection mask specifies whether events in each audit event class are to generate audit records.
The algorithm for obtaining the process preselection mask is described in the following equation:
user's process preselection mask = (flags: line + always-audit flags) - never-audit flags |
Add the audit flags from the flags: line in the audit_control file to the flags from the always-audit field in the user's entry in the audit_user file. Then, subtract from the total the flags from the user's never-audit field.
Audit ID – A process acquires an audit ID when the user logs in. The audit ID is inherited by all child processes that were started by the user's initial process. The audit ID helps enforce accountability. Even after a user becomes root, the audit ID remains the same. The audit ID that is saved in each audit record always allows you to trace actions back to the original user who had logged in.
Audit Session ID – The audit session ID is assigned at login. The session ID is inherited by all descendant processes.
Terminal ID (port ID, machine ID) – The terminal ID consists of the host name and the Internet address, followed by a unique number that identifies the physical device on which the user logged in. Most often, the login is through the console and the number that corresponds to the console device is 0.