audit_user is an access-restricted database that stores per-user auditing preselection data. The audit_user file can be used with other authorization sources, including the NIS map audit_user.byname and the NIS+ table audit_user. Programs use the getauusernam(3BSM) routines to access this information.

The search order for multiple user audit information sources is specified in the /etc/nsswitch.conf file, as described in the nsswitch.conf(4) man page. The lookup follows the search order for passwd(4).

The fields for each user entry are separated by colons (:). Each user is separated from the next by a newline. audit_user does not have general read permission.

Each entry in the audit_user file has the form:

username:always-audit-flags:never-audit-flags

The fields are defined as follows:

username

The user's login name.

always-audit-flags

Flags specifying event classes to always audit.

never-audit-flags

Flags specifying event classes to never audit.

For a complete description of the audit flags and how to combine them, see the audit_control(4) man page.

/etc/nsswitch.conf

/etc/passwd

/etc/security/audit_user

bsmconv(1M), getauusernam(3BSM), audit_control(4), nsswitch.conf(4), passwd(4)

The functionality described in this man page is available only if the Basic Security Module (BSM) has been enabled. See bsmconv(1M) for more information.