Setting Audit Policies
You can use auditconfig with the -setpolicy option to change the default Trusted Solaris audit policies. Setting audit policies means to add optional audit tokens to the audit record. The auditconfig command with the -lspolicy argument shows the audit policies that are optional. See "To Determine Current Audit Policy" for the audit policies and their short descriptions. The following gives longer descriptions of the less easily understood policy flags.
Caution - To run auditing in an evaluated configuration, you cannot have the cnt policy or the passwd policy turned on. They must be turned off.
- ahlt
-
Halt the machine if an asynchronous audit event occurs which can not be delivered to the audit queue. The default is not to halt the workstation.
- cnt
-
Do not suspend auditable actions when the queue is full; just count how many audit records are dropped. The default is suspend.
Note -
To return to the default, remove the cnt policy. See "To Set Audit Policy Temporarily" for examples of replacing, adding, and removing audit policies.
- path
-
Add secondary path tokens to audit record. These secondary paths are typically the path names of dynamically linked shared libraries or command interpreters for shell scripts. By default they are not included.
- seq
-
Include a sequence number in every audit record. The default is to not include. (The sequence number could be used to analyze a crash dump to find out whether any audit records are lost.)
- © 2010, Oracle Corporation and/or its affiliates