|
|
|
|
|
This policy applies to asynchronous events only. When disabled, this policy
allows the event to complete without an audit record being generated.
When enabled, this policy stops the system when the audit queue is full.
Administrative intervention is required to clean up the audit queue, make space
available for audit records, and reboot. This policy can be enabled only in the
global zone. The policy affects all zones.
|
The disabled option is preferable when system availability is more important
than security.
|
|
|
When disabled, this policy omits environment variables of an executed program
from the execve audit record.
When enabled, this policy adds the environment variables of an executed
program to the execve audit record. The resulting audit records
contain much more detail than when this policy is disabled. |
The enabled option is preferable when you are auditing a few users. The option
is also useful when you are unsure about the environment variables that are being
used in programs in the ex audit class.
|
|
|
When disabled, this policy omits the arguments of an executed program from the
execve audit record.
When enabled, this policy adds the arguments of an executed program to the
execve audit record. The resulting audit records contain much
more detail than when this policy is disabled.
|
The enabled option is preferable when you are auditing a few users. The option
is also useful when you have reason to believe that unusual programs in the
ex audit class are being run.
|
|
|
When disabled, this policy blocks a user or application from running. The
blocking happens when audit records cannot be added to the audit trail because the
audit queue is full.
When enabled, this policy allows the event to complete without an audit record
being generated. The policy maintains a count of audit records that are
dropped.
|
The disabled option is preferable in an environment where security is
paramount.
|
|
|
When disabled, this policy does not add a groups list to audit records.
When enabled, this policy adds a groups list to every audit record as a
special token. |
The disabled option usually satisfies requirements for site security.
The enabled option is preferable when you need to audit the supplemental groups
to which the subject belongs.
|
|
|
When disabled, this policy has no effect.
When enabled, this policy audits labeled files for read operations and
prevents audit records from being written for read operations on unlabeled or
ADMIN_LOW files. |
The disabled option usually satisfies requirements for site security.
|
|
|
When disabled, this policy records in an audit record at most one path that is
used during a system call.
When enabled, this policy records every path that is used in conjunction with an
audit event to every audit record.
|
The disabled option places at most one path in an audit record.
The enabled option enters each file name or path that is used during a system
call in the audit record as a path token.
|
|
|
When disabled, this policy maintains a single audit configuration for a system.
One audit service runs in the global zone. Audit events in specific zones can be
located in the audit record if the zonename audit token was
preselected.
When enabled, this policy maintains a separate audit configuration, audit queue,
and audit logs for each zone. An audit service runs in each zone. This policy can be
enabled in the global zone only.
|
The disabled option is useful when you have no special reason to maintain a
separate audit log, queue, and daemon for each zone.
The enabled option is useful when you cannot monitor your system effectively by
simply examining audit records with the zonename audit
token.
|
|
|
When disabled, this policy does not add read-only events of public objects to
the audit trail when the reading of files is preselected. Audit classes that contain
read-only events include fr, fa, and
cl.
When enabled, this policy records every read-only audit event of public
objects if an appropriate audit class is preselected.
|
The disabled option usually satisfies requirements for site security.
The enabled option is rarely useful.
|
|
|
When disabled, this policy does not add a sequence number to every audit
record.
When enabled, this policy adds a sequence number to every audit record.
The sequence token holds the sequence number. |
The disabled option is sufficient when auditing is running smoothly.
The enabled option is preferable when the cnt policy is
enabled. The seq policy enables you to determine when data was
discarded. Alternatively, you can use the auditstat command to
view dropped records.
|
|
|
When disabled, this policy does not add a trailer token to
audit records.
When enabled, this policy adds a trailer token to
every audit record. |
The disabled option creates a smaller audit record.
The enabled option clearly marks the end of each audit record with a
trailer token. The trailer token is often used
with the sequence token. The trailer token
aids in the recovery of damaged audit trails.
|
|
|
When disabled, this policy does not include a zonename token
in audit records.
When enabled, this policy includes a zonename token in every
audit record.
|
The disabled option is useful when you do not need to track audit behavior per
zone.
The enabled option is useful when you want to isolate and compare audit behavior
across zones by post-selecting records according to zone.
|