Setting Audit Policies

The auditconfig command provides a command line interface to get and set audit configuration information and audit policy. It can be used in the audit_startup(1M) script to set audit policies when the audit daemon is started. See the auditconfig(1M) man page and Dynamic Auditing (Tasks), for examples of the use of the auditconfig command.

You can use auditconfig with the -setpolicy option to change the default Trusted Solaris audit policies. Setting audit policies means to add optional audit tokens to the audit record. The auditconfig command with the -lspolicy argument shows the audit policies that are optional. See To Determine Current Audit Policy for the audit policies and their short descriptions. The following gives longer descriptions of the less easily understood policy flags.

To run auditing in an evaluated configuration, you cannot have the cnt policy or the passwd policy turned on. They must be turned off.

ahlt

Halt the computer if an asynchronous audit event occurs which can not be delivered to the audit queue. The default is not to halt the system.

cnt

Do not suspend auditable actions when the queue is full. Count how many audit records are dropped. The default is suspend.

To return to the default, remove the cnt policy. See To Set Audit Policy Temporarily for examples of replacing, adding, and removing audit policies.

path

Add secondary path tokens to audit record. These secondary paths are typically the pathnames of dynamically linked shared libraries or command interpreters for shell scripts. By default they are not included.

seq

Include a sequence number in every audit record. The default is to not include. (The sequence number could be used to analyze a crash dump to find out whether any audit records are lost.)