Dynamic controls apply to one system at a time, since the audit command only applies to the current system where you are logged in. Use dynamic controls to test auditing on a system (estimate volume of records, for example), or to add an auditing flag without having to reboot the computer. However, if you make dynamic changes on one system for other than testing purposes, you should make the changes on all systems.
The following procedures work only when auditing is enabled.
The auditconfig(1M) command
enables an appropriately configured role to determine audit policy and to see what policies can be set. If your role is not configured to determine the policy, or if auditing is turned off, the command auditconfig -getpolicy returns an error. The following example
was run by the role secadmin, at label admin_low
:
$ auditconfig -getpolicy audit policies = none $ auditconfig -lspolicy policy string description: arge include exec environment args in audit recs argv include exec args in audit recs cnt when no more space, drop recs and keep a count group include supplementary groups in audit recs seq include a sequence number in audit recs trail include trailer tokens in audit recs path allow multiple paths per event acl include ACL information in audit recs ahlt halt machine if we can't record an async event slabel include sensitivity labels in audit recs passwd include cleartext passwords in audit recs windata_down include downgraded information in audit recs windata_up include upgraded information in audit recs all all policies none no policies |
To label files admin_high
, to move files to an admin_high
directory, to reset the audit daemon,
and to make other changes in auditing requires an admin_high
process. An admin_high
process starts from an admin_high
workspace.
Click the right button on the Front Panel and choose Assume secadmin Role from the menu.
A secadmin role workspace becomes the current workspace.
In the current workspace, click the right button on the workspace name (secadmin) button and choose Change Workspace SL from the menu.
In the label builder, click the ADMIN_HIGH button, then click OK.
The color of the workspace button turns to black, indicating an admin_high
workspace. An admin_high
workspace is available only to an administrative role.
The auditconfig command enables you to change audit policy, such as whether to include acl information in the audit record. Since the audit policy variable is a dynamic kernel variable, the policy that you set is in effect until the computer next boots. See the auditconfig(1M) man page for a list of audit policy parameters.
The security administrator sets or changes audit policy. Policy changes are set at the label admin_low
.
To set policies in one invocation of the command, or to override all current policies, separate the policies with commas (no spaces):
$ auditconfig -setpolicy trail,seq $ auditconfig -getpolicy audit policies = trail,seq $ auditconfig -setpolicy argv,acl $ auditconfig -getpolicy audit policies = argv,acl |
To add policies to the current policies, preface each added policy with a plus (+):
$ auditconfig -setpolicy trail,seq $ auditconfig -getpolicy audit policies = trail,seq $ auditconfig -setpolicy +argv $ auditconfig -setpolicy +acl $ auditconfig --getpolicy audit policies = seq,trail,argv,acl |
To remove policies from the current policies, preface each policy to be removed with a minus (-):
$ auditconfig -setpolicy trail,seq $ auditconfig -getpolicy audit policies = trail,seq $ auditconfig -setpolicy -seq $ auditconfig -getpolicy audit policies = trail |
In the examples above, the trail and seq tokens are added to debug audit trail discrepancies. To set policies permanently, enter the auditconfig command in the audit_startup(1M) script. See To Set Audit Policy Permanently for how to edit the script.
To run auditing in an evaluated configuration, the cnt policy cannot be turned on; the ahlt policy (the default) cannot be turned off.
The auditconfig(1M) command enables you to change audit flags dynamically, such as adding extra flags to a user, a session, or a process while the user, session, or process is active. Since the flags are added dynamically, they are in effect until the user logs out, the session ends, or the process ends.
The security administrator sets or changes audit policy. Policy changes are set at the label admin_low
.
To set a particular user to be additionally audited for successful file reads:
$ auditconfig -setumask audit_user_id +fr |
To set a particular session to be additionally audited for failed file attribute access:
$ auditconfig -setsmask audit_session_id -fa |
To set a particular process to be additionally audited for successful and unsuccessful file attribute modifications:
$ ps -ef | grep application-to-be-monitored $ auditconfig -setpmask process_id fm |
Only one audit daemon may run at a time. An attempt to start a second one will result in an error message, and the new one will exit. If there is a problem with the audit daemon, terminate the audit daemon gracefully, then restart it manually.
To stop the audit daemon in event of trouble, as role secadmin, at label admin_high
:
$ audit -t |
This is not recommended. Audit records may be lost.
The audit daemon starts when the computer is brought up to multiuser mode, and restarts when the audit daemon is instructed by the audit -s command to reread an audit configuration file.
To restart the audit daemon in event of trouble or a change to an audit configuration file, as role secadmin, at label admin_high
:
$ audit -s |
The pointer may be reset to the beginning of the list of audit directories when the administrator enters the audit -s command.