Bug 185034 - audit(8): audit -s do not sync audit_user
Summary: audit(8): audit -s do not sync audit_user
Status: Closed Works As Intended
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: Unspecified
Hardware: Any Any
: Normal Affects Only Me
Assignee: Christian Brueffer
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-20 16:30 UTC by Radim Kolar
Modified: 2016-01-07 12:50 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Radim Kolar 2013-12-20 16:30:00 UTC 
if you edit audit_user file is not reloaded after "audit -s"
Comment 1 Christian Brueffer freebsd_committer freebsd_triage 2016-01-07 12:50:25 UTC 
Hi Radim, the information which flags to audit for a user are not managed by auditd, hence loading the file during "audit -s" would be useless.

The audit_user file is only read when a user logs in and consequently a new audit context for that login session is created (e.g., see usr.bin/login/login_audit.c).  In that case the user's entry is read from audit_user, and combined with the "always audit" flags specified in the flags parameter in /etc/audit_control into the user's audit mask.  This mask is part of the audit context inherited by every process forked from that initial login process.