How to Configure Audit Policy
Audit policy determines the characteristics of the audit records for the local host. When auditing is enabled, the policies that you set by using the auditconfig -setpolicy command determine the audit policy.
You can inspect and change the current audit policy options with the auditconfig command. This command can set a temporary, or active policy. An active policy is a policy that is currently used by the kernel. This command also sets persistent policy, or configured policy. Configured policy is the policy that is restored when you restart the audit service.
-
Assume a role that includes the Audit Control profile, or become superuser.
To create a role that includes the Audit Control profile and to assign the role to a user, see Configuring RBAC (Task Map).
-
To view the settings, use the auditconfig -getpolicy command:
$ auditconfig -getpolicy
-
View the available policy options.
$ auditconfig -lspolicy
Note –The perzone and ahlt policy options can be set only in the global zone.
-
Enable or disable selected audit policy options.
# auditconfig [ -t ] -setpolicy prefixpolicy
- -t
-
Optional. Creates a temporary, or active, policy. The policy setting is not restored when you restart the audit service.
- prefix
-
A prefix value of + enables the policy option. A prefix value of - disables the policy option.
- policy
-
Selects the policy to be enabled or to be disabled.
A temporary (-t) policy is in effect until the the audit service is restarted, or until the policy is modified by the auditconfig -setpolicy command. Without the -t option, the policy setting persists across restarts of the audit service.
For a description of each policy option, see Determining Audit Policy.
Example 30–13 Setting the cnt and ahlt Audit Policy Options
In this example, the cnt policy is disabled, and the ahlt policy is enabled. With these settings, system use is halted when the audit partitions are full and an asynchronous event occurs. When a synchronous event occurs, the process that created the thread hangs. These settings are appropriate when security is more important than availability.
The following auditconfig policy commands disable the cnt policy option and enable the ahlt policy option:
# auditconfig -setpolicy -cnt # auditconfig -setpolicy +ahlt |
These settings persist until you change them.
Example 30–14 Setting an Audit Policy Temporarily
In this example, the audit service is running and the ahlt audit policy is configured. The administrator adds the seq audit policy to the active policy, but does not configure the audit service to use the seq audit policy permanently. The seq policy is useful for debugging the audit service when audit records are corrupted, or when records are being dropped.
The + prefix adds the seq option to the audit policy, rather than replaces the current audit policy with seq. The -t option makes the policy active in the kernel.
$ auditconfig -setpolicy none $ auditconfig -getpolicy configured audit policies = none active audit policies = none $ auditconfig -setpolicy ahlt $ auditconfig -getpolicy configured audit policies = ahlt active audit policies = ahlt $ auditconfig -t -setpolicy +seq configured audit policies = ahlt,seq active audit policies = ahlt,seq |
The administrator unsets the seq policy when the debugging is completed:
$ auditconfig -setpolicy -seq $ auditconfig -getpolicy configured audit policies = ahlt active audit policies = ahlt |
Example 30–15 Setting the perzone Audit Policy
In this example, the perzone audit policy is set in the global zone. When a zone boots, the non-global zone collects audit records according to the audit configuration settings in its zone. The perzone policy setting is stored as a property of the audit service, so it is in effect during the session and when the audit service is restarted.
$ auditconfig -setpolicy none $ auditconfig -getpolicy configured audit policies = none active audit policies = none $ auditconfig -setpolicy +perzone $ auditconfig -getpolicy configured audit policies = perzone active audit policies = perzone |
- © 2010, Oracle Corporation and/or its affiliates