The auditconfig command enables you to change audit policy, such as whether to include acl information in the audit record. Since the audit policy variable is a dynamic kernel variable, the policy that you set is in effect until the computer next boots. See the auditconfig(1M) man page for a list of audit policy parameters.
The security administrator sets or changes audit policy. Policy changes are set at the label admin_low
.
To set policies in one invocation of the command, or to override all current policies, separate the policies with commas (no spaces):
$ auditconfig -setpolicy trail,seq $ auditconfig -getpolicy audit policies = trail,seq $ auditconfig -setpolicy argv,acl $ auditconfig -getpolicy audit policies = argv,acl |
To add policies to the current policies, preface each added policy with a plus (+):
$ auditconfig -setpolicy trail,seq $ auditconfig -getpolicy audit policies = trail,seq $ auditconfig -setpolicy +argv $ auditconfig -setpolicy +acl $ auditconfig --getpolicy audit policies = seq,trail,argv,acl |
To remove policies from the current policies, preface each policy to be removed with a minus (-):
$ auditconfig -setpolicy trail,seq $ auditconfig -getpolicy audit policies = trail,seq $ auditconfig -setpolicy -seq $ auditconfig -getpolicy audit policies = trail |
In the examples above, the trail and seq tokens are added to debug audit trail discrepancies. To set policies permanently, enter the auditconfig command in the audit_startup(1M) script. See To Set Audit Policy Permanently for how to edit the script.
To run auditing in an evaluated configuration, the cnt policy cannot be turned on; the ahlt policy (the default) cannot be turned off.