To Set Public Object Bit on Publicly Accessible Files
Setting the public object bit can reduce the size of the audit trail when the audit record includes successful accesses of files or directories. Successful viewing, listing, or listing of a file or directory's attributes will not be written to the audit record when the file's public object bit is set.
As role secadmin, at label admin_low, set the public object bit on a local directory of publicly accessible files using the setfattrflag(1) command with the -p 1 option.
The following command sets the public object bit on the /etc directory. A search of the /etc directory, or a read of files in the /etc directory will not result in an audit record.
$ setfattrflag -p 1 /etc
$ getfattrflag /etc
Multilevel directory: no
Single level directory: no
Public object: yes
|
As secadmin, at label admin_low, set the public object bit on a mounted file system of publicly accessible files using the attr_flag security attribute.
For example, the following entry in the vfstab_adjunct(4) file for the mounted file system /spublic sets the public object flag for all files in the file system.
# Modified template. # /spublic; \ acc_acl=; \ mode=; \ attr_flag=public; \ gid=; \ uid=; \ slabel=; \ forced=; \ allowed=; \ low_range=; \ hi_range=; \ mld_prefix=mldroot; #
See the man page for mount(1M) and "Managing Files and File Systems" in the Trusted Solaris Administrator's Procedures for more details.
- © 2010, Oracle Corporation and/or its affiliates