To Set Audit Policy Temporarily

The auditconfig command enables you to change audit policy, such as whether to include acl information in the audit record. Since the policy variable is a dynamic kernel variable, the policy that you set is in effect until the workstation next boots. See the auditconfig(1M) man page for a list of policy parameters.

To set policies in one invocation of the command, or to override all current policies, as role secadmin at label admin_low, separate the policies with commas (no spaces):

$ auditconfig -setpolicy trail,seq $ auditconfig -getpolicy audit policies = trail,seq $ auditconfig -setpolicy argv,acl $ auditconfig -getpolicy audit policies = argv,acl

To add policies to the current policies, as role secadmin at label admin_low, preface each added policy with a plus (+):

$ auditconfig -setpolicy trail,seq $ auditconfig -getpolicy audit policies = trail,seq $ auditconfig -setpolicy +argv $ auditconfig -setpolicy +acl $ auditconfig -getpolicy audit policies = seq,trail,argv,acl

To remove policies from the current policies, as role secadmin at label admin_low, preface each policy to be removed with a minus (-):

$ auditconfig -setpolicy trail,seq $ auditconfig -getpolicy audit policies = trail,seq $ auditconfig -setpolicy -seq $ auditconfig -getpolicy audit policies = trail

In the examples above, the trail and seq tokens are added to debug audit trail discrepancies. To set policies permanently, enter the auditconfig command in the audit_startup(1M) script. See "To Set Audit Policy Permanently" for how to edit the script.

To run auditing in an evaluated configuration, the cnt policy cannot be turned on; the ahlt policy (the default) cannot be turned off.