When an audit trail created from merging records from several workstations appears to have the records listed out of order, you can debug the audit trail discrepancies using the sequence token. Since the sequence token is not recorded by default, the security administrator adds it to the audit policy. The audit policy must be set identically on all workstations contributing to the audit trail.
When the audit trail has been debugged, the security administrator removes the token.
To add the seq audit policy dynamically, as role secadmin, at label admin_low
, on the command line:
$ auditconfig -setpolicy +seq $ auditconfig -getpolicy slabel, seq |
To add the seq audit policy permanently, as role secadmin at label admin_low
, in the audit_startup file:
#!/bin/sh auditconfig -setpolicy +slabel, seq
To remove the seq audit policy dynamically, on the command line, as role secadmin at label admin_low
:
$ auditconfig -setpolicy -seq $ auditconfig -getpolicy slabel |
To remove the seq audit policy from the audit_startup file, as role secadmin at label admin_low
:
#!/bin/sh auditconfig -setpolicy +slabel