How to Change Users' Audit Characteristics

Definitions for each user are stored in the /etc/security/audit_user file. These definitions are exceptions to the flags in the audit_control file.

1. Become superuser or assume an equivalent role.

2. (Optional) Save a backup copy of the audit_user file.

   # cp /etc/security/audit_user /etc/security/audit_user.save

3. Add new entries to the audit_user file.

   Each entry has the following format:

   username:always:never

   username

   Selects the name of the user to be audited.

   always

   Selects the list of audit classes that should always be audited.

   never

   Selects the list of audit classes that should never be audited.

   You can specify multiple flags by separating the audit classes with commas. For more information about audit flags, see Audit Classes and Their Audit Flags.

4. Make the new data available to the auditing daemon.

   To use the new data, you can reboot the system. You can also have the user log out and then log back in again.

Example—Changing Auditing for One User

This example shows an entry that causes audit records to be generated any time that the user sue accesses any programs in the login class (lo).

# grep sue /etc/security/audit_user
sue:lo:

Example—Creating an Audit Admin Login

If all the audit partitions are full and logins are audited, then users might not be able to log in to a host. To avoid this situation, you can set up a special account that is not audited. The special account could log in to the host even when the audit partitions are full, and fix the problem with the full partitions. In this example, the account auditadm is defined so that no auditing takes place.

# grep auditadm /etc/security/audit_user
auditadmin:no:yes

The user who is selected to use the audit admin account might need to be monitored in another way.