Setting Audit Policies
You can use auditconfig with the -setpolicy flag to change the default Solaris-BSM audit policies. The auditconfig command with the -lspolicy argument shows
the audit policies that you can change. The policy flags are described below.
Record the environment and arguments on execv (see
man page). The default is not to record these.
arguments to execv. The default is not to record these.
Do not suspend auditable
actions when the queue is full; just count how many audit records are dropped. The
default is suspend.
Include the supplementary
groups token in audit records. The default is that group token is not included.
Add secondary path tokens to audit record. These secondary paths are typically the path
names of dynamically linked shared libraries or command interpreters for shell scripts.
By default they are not included.
Include the trailer token in all records. The default is that the trailer
token is not recorded.
Include a sequence
number in every audit record. The default is to not include. (The sequence number
could be used to analyze a crash dump to find out whether any audit records are lost.)
How to Change Which Events Are
in Which Audit Classes
This procedure describes how to modify the default event to class mappings.
Edit the /etc/security/audit_event file to change the class
mapping for each event to be changed.
Reboot the system or run auditconfig -conf to change the
runtime kernel event-to-class mappings.