if you edit audit_user file is not reloaded after "audit -s"
Hi Radim, the information which flags to audit for a user are not managed by auditd, hence loading the file during "audit -s" would be useless. The audit_user file is only read when a user logs in and consequently a new audit context for that login session is created (e.g., see usr.bin/login/login_audit.c). In that case the user's entry is read from audit_user, and combined with the "always audit" flags specified in the flags parameter in /etc/audit_control into the user's audit mask. This mask is part of the audit context inherited by every process forked from that initial login process.