In this example, you define a new class, and then add events to that class. To use the mapping, put the new class in the audit_control file, then reboot the system.
In the audit_class file, define a site-specific class to collect just those audit events that you want to monitor.
0x00000800:sc:site class |
In the audit_event file, change a set of audit events to the new class.
26:AUE_SETGROUPS:setgroups(2):sc 27:AUE_SETPGRP:setpgrp(2):sc 40:AUE_SETREUID:setreuid(2):sc 41:AUE_SETREGID:setregid(2):sc 214:AUE_SETEGID:setegid(2):sc 215:AUE_SETEUID:seteuid(2):sc |
Use the new flag in the audit_control file. The following entry audits logins, and audits all successful invocations of the events in the sc class.
flags:lo,+sc |
To ensure that the new configuration audits all processes, reboot the system. Or, you can use the following set of commands to ensure that each user who uses the machine is correctly audited. auid is the user ID.
# auditconfig -conf # audit -s # setumask auid lo,+sc |