JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris 11.1 Administration: Security Services     Oracle Solaris 11.1 Information Library
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Verifying File Integrity by Using BART (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Security Attributes in Oracle Solaris (Reference)

Part IV Cryptographic Services

11.  Cryptographic Framework (Overview)

12.  Cryptographic Framework (Tasks)

13.  Key Management Framework

Part V Authentication Services and Secure Communication

14.  Using Pluggable Authentication Modules

15.  Using Secure Shell

16.  Secure Shell (Reference)

17.  Using Simple Authentication and Security Layer

18.  Network Services Authentication (Tasks)

Part VI Kerberos Service

19.  Introduction to the Kerberos Service

20.  Planning for the Kerberos Service

21.  Configuring the Kerberos Service (Tasks)

22.  Kerberos Error Messages and Troubleshooting

23.  Administering Kerberos Principals and Policies (Tasks)

24.  Using Kerberos Applications (Tasks)

25.  The Kerberos Service (Reference)

Part VII Auditing in Oracle Solaris

26.  Auditing (Overview)

27.  Planning for Auditing

Planning Auditing (Tasks)

How to Plan Auditing in Zones

How to Plan Who and What to Audit

How to Plan Disk Space for Audit Records

How to Prepare to Stream Audit Records to Remote Storage

Understanding Audit Policy

Controlling Auditing Costs

Cost of Increased Processing Time of Audit Data

Cost of Analysis of Audit Data

Cost of Storage of Audit Data

Auditing Efficiently

28.  Managing Auditing (Tasks)

29.  Auditing (Reference)

Glossary

Index

Understanding Audit Policy

Audit policy determines the characteristics of the audit records for the local system. You use the auditconfig command to set these policies. For more information, see the auditconfig(1M) man page.

Most audit policy options are disabled by default to minimize storage requirements and system processing demands. These options are properties of the audit service and determine the policies that are in effect at system boot. For more information, see the auditconfig(1M) man page.

Use the following table to determine if the needs of your site justify the additional overhead that results from enabling one or more audit policy options.

Table 27-1 Effects of Audit Policy Options

Policy Name
Description
Policy Considerations
ahlt
This policy applies to asynchronous events only. When disabled, this policy allows the event to complete without an audit record being generated.

When enabled, this policy stops the system when the audit queue is full. Administrative intervention is required to clean up the audit queue, make space available for audit records, and reboot. This policy can only be enabled in the global zone. The policy affects all zones.
The disabled option makes sense when system availability is more important than security.

The enabled option makes sense in an environment where security is paramount. For a fuller discussion, see Audit Policies for Asynchronous and Synchronous Events.
arge
When disabled, this policy omits environment variables of an executed program from the execve audit record.

When enabled, this policy adds the environment variables of an executed program to the execve audit record. The resulting audit records contain much more detail than when this policy is disabled.
The disabled option collects much less information than the enabled option. For a comparison, see How to Audit All Commands by Users.

The enabled option makes sense when you are auditing a few users. The option is also useful when you have suspicions about the environment variables that are being used in programs in the ex audit class.
argv
When disabled, this policy omits the arguments of an executed program from the execve audit record.

When enabled, this policy adds the arguments of an executed program to the execve audit record. The resulting audit records contain much more detail than when this policy is disabled.
The disabled option collects much less information than the enabled option. For a comparison, see How to Audit All Commands by Users.

The enabled option makes sense when you are auditing a few users. The option is also useful when you have reason to believe that unusual programs in the ex audit class are being run.
cnt
When disabled, this policy blocks a user or application from running. The blocking happens when audit records cannot be added to the audit trail because the audit queue is full.

When enabled, this policy allows the event to complete without an audit record being generated. The policy maintains a count of audit records that are dropped.
The disabled option makes sense in an environment where security is paramount.

The enabled option makes sense when system availability is more important than security. For a fuller discussion, see Audit Policies for Asynchronous and Synchronous Events.
group
When disabled, this policy does not add a groups list to audit records.

When enabled, this policy adds a groups list to every audit record as a special token.
The disabled option usually satisfies requirements for site security.

The enabled option makes sense when you need to audit which supplemental groups the subject belongs to.
path
When disabled, this policy records in an audit record at most one path that is used during a system call.

When enabled, this policy records every path that is used in conjunction with an audit event to every audit record.
The disabled option places at most one path in an audit record.

The enabled option enters each file name or path that is used during a system call in the audit record as a path token.
perzone
When disabled, this policy maintains a single audit configuration for a system. One audit service runs in the global zone. Audit events in specific zones can be located in the audit record if the zonename audit token was preselected.

When enabled, this policy maintains a separate audit configuration, audit queue, and audit logs for each zone. An audit service runs in each zone. This policy can be enabled in the global zone only.
The disabled option is useful when you have no special reason to maintain a separate audit log, queue, and daemon for each zone.

The enabled option is useful when you cannot monitor your system effectively by simply examining audit records with the zonename audit token.
public
When disabled, this policy does not add read-only events of public objects to the audit trail when the reading of files is preselected. Audit classes that contain read-only events include fr, fa, and cl.

When enabled, this policy records every read-only audit event of public objects if an appropriate audit class is preselected.
The disabled option usually satisfies requirements for site security.

The enabled option is rarely useful.
seq
When disabled, this policy does not add a sequence number to every audit record.

When enabled, this policy adds a sequence number to every audit record. The sequence token holds the sequence number.
The disabled option is sufficient when auditing is running smoothly.

The enabled option makes sense when the cnt policy is enabled. The seq policy enables you to determine when data was discarded. Alternatively, you can use the auditstat command to view dropped records.
trail
When disabled, this policy does not add a trailer token to audit records.

When enabled, this policy adds a trailer token to every audit record.
The disabled option creates a smaller audit record.

The enabled option clearly marks the end of each audit record with a trailer token. The trailer token is often used with the sequence token. The trailer token aids in the recovery of damaged audit trails.
zonename
When disabled, this policy does not include a zonename token in audit records.

When enabled, this policy includes a zonename token in every audit record.
The disabled option is useful when you do not need to track audit behavior per zone.

The enabled option is useful when you want to isolate and compare audit behavior across zones by post-selecting records according to zone.
Copyright © 2002, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next