To Set Audit Policy Temporarily

The auditconfig command enables you to change audit policy, such as whether to include acl information in the audit record. Since the audit policy variable is a dynamic kernel variable, the policy that you set is in effect until the computer next boots. See the auditconfig(1M) man page for a list of audit policy parameters.

The security administrator sets or changes audit policy. Policy changes are set at the label admin_low.

To set policies in one invocation of the command, or to override all current policies, separate the policies with commas (no spaces):

$ auditconfig -setpolicy trail,seq $ auditconfig -getpolicy audit policies = trail,seq $ auditconfig -setpolicy argv,acl $ auditconfig -getpolicy audit policies = argv,acl

To add policies to the current policies, preface each added policy with a plus (+):

$ auditconfig -setpolicy trail,seq $ auditconfig -getpolicy audit policies = trail,seq $ auditconfig -setpolicy +argv $ auditconfig -setpolicy +acl $ auditconfig --getpolicy audit policies = seq,trail,argv,acl

To remove policies from the current policies, preface each policy to be removed with a minus (-):

$ auditconfig -setpolicy trail,seq $ auditconfig -getpolicy audit policies = trail,seq $ auditconfig -setpolicy -seq $ auditconfig -getpolicy audit policies = trail

In the examples above, the trail and seq tokens are added to debug audit trail discrepancies. To set policies permanently, enter the auditconfig command in the audit_startup(1M) script. See To Set Audit Policy Permanently for how to edit the script.

To run auditing in an evaluated configuration, the cnt policy cannot be turned on; the ahlt policy (the default) cannot be turned off.