The auditconfig command enables you to change audit policy, such as whether to include acl information in the audit record. Since the policy variable is a dynamic kernel variable, the policy that you set is in effect until the workstation next boots. See the auditconfig(1M) man page for a list of policy parameters.
To set policies in one invocation of the command, or to override all current policies, as role secadmin at label admin_low
,
separate the policies with commas (no spaces):
$ auditconfig -setpolicy trail,seq $ auditconfig -getpolicy audit policies = trail,seq $ auditconfig -setpolicy argv,acl $ auditconfig -getpolicy audit policies = argv,acl |
To add policies to the current policies, as role secadmin at label admin_low
, preface each added policy with a plus (+):
$ auditconfig -setpolicy trail,seq $ auditconfig -getpolicy audit policies = trail,seq $ auditconfig -setpolicy +argv $ auditconfig -setpolicy +acl $ auditconfig -getpolicy audit policies = seq,trail,argv,acl |
To remove policies from the current policies, as role secadmin at label admin_low
, preface each policy to be removed with
a minus (-):
$ auditconfig -setpolicy trail,seq $ auditconfig -getpolicy audit policies = trail,seq $ auditconfig -setpolicy -seq $ auditconfig -getpolicy audit policies = trail |
In the examples above, the trail and seq tokens are added to debug audit trail discrepancies. To set policies permanently, enter the auditconfig command in the audit_startup(1M) script. See "To Set Audit Policy Permanently" for how to edit the script.
To run auditing in an evaluated configuration, the cnt policy cannot be turned on; the ahlt policy (the default) cannot be turned off.