audit_user is an access-restricted database that
stores per-user auditing preselection data. The audit_user
file can be used with other authorization sources, including the NIS map audit_user.byname and the NIS+ table audit_user. Programs use the getauusernam(3BSM)
routines to access this information.
The search order for multiple user audit information sources is specified
in the /etc/nsswitch.conf file, as described in the nsswitch.conf(4) man page. The lookup follows
the search order for passwd(4).
The fields for each user entry are separated by colons (:). Each user is separated from the next by a newline. audit_user does not have general read permission.
Each entry in the audit_user file has the form:
The fields are defined as follows:
- The user's login name.
- Flags specifying event classes to always
- Flags specifying event classes to never
For a complete description of the audit flags and how to combine them,
see the audit_control(4) man page.