Setting Audit Policies
You can use auditconfig with the -setpolicy flag to change the default Solaris-BSM audit policies. The auditconfig
command with the -lspolicy argument shows the audit policies
that you can change. The policy flags are described below.
Record the environment and arguments on execv (see the exec(2) man page). The default is not to record
arguments to execv. The default is not to record these.
Do not suspend auditable
actions when the queue is full; just count how many audit records are dropped. The default
Include the supplementary
groups token in audit records. The default is that group token is not included.
Add secondary path tokens to audit record. These secondary paths are typically the path names
of dynamically linked shared libraries or command interpreters for shell scripts. By default
they are not included.
Include the trailer token in all records. The default is that the trailer
token is not recorded.
Include a sequence number
in every audit record. The default is to not include. (The sequence number could be used
to analyze a crash dump to find out whether any audit records are lost.)
How to Change Which Events Are in Which
This procedure describes how to modify the default event to class mappings.
Edit the /etc/security/audit_event file to
change the class mapping for each event to be changed.
Reboot the system or run auditconfig -conf to change the
runtime kernel event-to-class mappings.