SunSHIELD Basic Security Module Guide

Setting Audit Policies

You can use auditconfig with the -setpolicy flag to change the default Solaris-BSM audit policies. The auditconfig command with the -lspolicy argument shows the audit policies that you can change. The policy flags are described below.


Record the environment and arguments on execv (see the exec(2) man page). The default is not to record these.


Record command-line arguments to execv. The default is not to record these.


Do not suspend auditable actions when the queue is full; just count how many audit records are dropped. The default is suspend.


Include the supplementary groups token in audit records. The default is that group token is not included.


Add secondary path tokens to audit record. These secondary paths are typically the path names of dynamically linked shared libraries or command interpreters for shell scripts. By default they are not included.


Include the trailer token in all records. The default is that the trailer token is not recorded.


Include a sequence number in every audit record. The default is to not include. (The sequence number could be used to analyze a crash dump to find out whether any audit records are lost.)

How to Change Which Events Are in Which Audit Classes

This procedure describes how to modify the default event to class mappings.

  1. Edit the /etc/security/audit_event file to change the class mapping for each event to be changed.

  2. Reboot the system or run auditconfig -conf to change the runtime kernel event-to-class mappings.