This procedure describes how to audit users who are already logged in for changes to the system-wide audit preselection mask. You can typically accomplish this task by instructing the users to log out and to log back in. Alternatively, in a role that is assigned the Process Management rights profile, you can manually terminate active sessions with the kill command. The new sessions will inherit the new preselection mask.
However, terminating user sessions could be impractical. As an alternative, you can use the auditconfig command to dynamically change each logged-in user's preselection mask.
This procedure assumes that you changed the system-wide audit preselection mask from lo to lo,ex by running the following command:
$ auditconfig -setflags lo,ex
Before You Begin
You must become an administrator who is assigned the Audit Configuration rights profile. To terminate user sessions, you must become an administrator who is assigned the Process Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
$ who -a jdoe - vt/2 Jan 25 07:56 4:10 1597 (:0) jdoe + pts/1 Jan 25 10:10 . 1706 (:0.0) ... jdoe + pts/2 Jan 25 11:36 3:41 1706 (:0.0)
$ auditconfig -getpinfo 1706 audit id = jdoe(1234) process preselection mask = lo(0x1000,0x1000) terminal id (maj,min,host) = 9426,65559,mach1(192.0.2.234) audit session id = 103203403
$ auditconfig -setpmask 1706 lo,ex
$ auditconfig -setumask jdoe lo,ex
$ auditconfig -setsmask 103203403 lo,ex
For example, check a process that existed before you changed the mask.
$ auditconfig -getpinfo 1706 audit id = jdoe(1234) process preselection mask = ex,lo(0x40001000,0x40001000) terminal id (maj,min,host) = 9426,65559,mach1(192.0.2.234) audit session id = 103203403