NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | EXIT STATUS | FILES | ATTRIBUTES | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO
auditconfig provides a command line interface to get and set kernel audit parameters. A process must have the PRIV_SYS_AUDIT
, PRIV_PROC_AUDIT_TCB
, or PRIV_PROC_AUDIT_APPL
privilege in its set of effective privileges to use the -getcond, -getclass, -getpinfo, and -getpolicy options. A process must have the PRIV_SYS_AUDIT
privilege in its set of effective
privileges to use the -setcond, -setclass, -chkconf, -conf, -setpmask, -setumask, -setsmask, -getfsize, -setfsize, and -setpolicy options.
Check the configuration of kernel audit event to class mappings. If the runtime class mask of a kernel audit event does not match the configured class mask, a mismatch is reported.
Configure kernel audit event to class mappings. Runtime class mappings are changed to match those in the audit event to class database file.
Return the maximum audit file size in bytes and the current size of the audit file in bytes.
Set the maximum size of an audit file to size bytes. When the size limit is reached, the audit file is closed and another is started.
Display the kernel audit condition. The condition displayed is the literal string auditing meaning auditing is enabled and turned on (the kernel audit module is constructing and queuing audit records) or noaudit meaning auditing is enabled but turned off (the kernel audit module is not constructing and queuing audit records), or disabled meaning that the audit module has not been enabled. See auditon(2) and auditd(1M) for further information.
Set the kernel audit condition to the condition specified where condition is the literal string auditing indicating auditing should be enabled or noaudit indicating auditing should be disabled.
Display the preselection mask associated with the specified kernel audit event. event is the kernel event number or event name.
Map the kernel event event to the classes specified by audit_flags. event is an event number or name. An audit_flag is a two-character string representing an audit class. See audit_control(4) for further information.
Display the currently configured (runtime) kernel and user level audit event information.
Display the audit ID, preselection mask, terminal ID and audit session ID for the specified process.
Set the preselection mask of the specified process. flags is the text representation of the flags similar to that in audit_control(4).
Set the preselection mask of all processes with the specified audit session ID.
Set the preselection mask of all processes with the specified audit ID.
Display the kernel audit policies with a description of each policy.
Display the kernel audit policy.
Set the kernel audit policy. A policy policy_flag is literal strings that denotes an audit policy. A prefix of + adds the policies specified to the current audit policies. A prefix of - removes the policies specified from the current audit policies. The following are the valid policy flag strings ( auditconfig -lspolicy also lists the current valid audit policy flag strings):
Include in the audit data an ACL attribute for each object accessed. Note that regardless of policy, if there is no ACL associated with an object, an attribute will not be generated. This information is not included by default.
Halt the machine if an asynchronous audit event occurs that cannot be delivered because the audit queue has reached the high-water mark or because there are insufficient resources to construct an audit record. By default, records are dropped and a count is kept of the number of dropped records.
Include the execv(2) system call environment arguments to the audit record. This information is not included by default.
Include the execv(2) system call parameter arguments to the audit record. This information is not included by default.
Do not suspend processes when audit resources are exhausted. Instead, drop audit records and keep a count of the number of records dropped. By default, process are suspended until audit resources become available.
Include the supplementary group token in audit records. By default, the group token is not included.
Include slabels in audit records. This information is included by default.
Include as part of the audit record any bad authentication data encountered during a login operation. The default action is not to include the password in the audit record.
Add secondary path tokens to audit record. These are typically the pathnames of dynamically linked shared libraries or command interpreters for shell scripts. By default, they are not included.
Include the trailer token in every audit record. By default, the trailer token is not included.
Include the sequence token as part of every audit record. By default, the sequence token is not included. The sequence token attaches a sequence number to every audit record.
Include in an audit record any downgraded data moved between windows. By default, this information is not included.
Include in an audit record any upgraded data moved between windows. By default, this information is not included.
# # map kernel audit event number 10 to the "fr" audit class # % auditconfig -setclass 10 fr # # turn on inclusion of exec arguments in exec audit records # % auditconfig -setpolicy +argv |
Audit event definition and class mappings.
Audit class definitions.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
Availability | SUNWcsu |
This functionality is active only if auditing is enabled. By default, auditing is enabled in the Trusted Solaris environment. By default, the machine halts when audit files run out of disk space. The Trusted Solaris environment adds programming interfaces, audit classes, and audit events.
These policy flags have been added to the Trusted Solaris auditing module: acl, ahlt, slabel, passwd, windata_down, and windata_up.
A process must have the PRIV_SYS_AUDIT
, PRIV_PROC_AUDIT_TCB
, or PRIV_PROC_AUDIT_APPL
privilege in its set of effective privileges to use the -getcond, -getclass, -getpinfo, and -getpolicy options. A process must have the PRIV_SYS_AUDIT
privilege in its set of effective privileges to use the -setcond, -setclass, -chkconf, -conf, -setpmask, -setumask, -setsmask, -getfsize, -setfsize, and -setpolicy options.
Information labels (ILs) are not supported in Trusted Solaris 7 and later releases. Trusted Solaris software interprets any ILs on communications and files from systems running earlier releases as ADMIN_LOW
.
Objects still have CMW labels, and CMW labels still include the IL component: IL[SL]; however, the IL component is fixed at ADMIN_LOW
.
As a result, Trusted Solaris 7 has the following characteristics:
ILs do not display in window labels; SLs (Sensitivity Labels) display alone within brackets.
ILs do not float.
Setting an IL on an object has no effect.
Getting an object's IL will always return ADMIN_LOW
.
Although certain utilities, library functions, and system calls can manipulate IL strings, the resulting ILs are always ADMIN_LOW
, and cannot be set on any objects.
In auditing, the ilabel token is recorded as ADMIN_LOW
, when it is recorded. The audit event numbers 519 (AUE_OFLOAT), 520 (AUE_SFLOAT), and 9036 (AUE_iil_change) continue to be reserved, but those events are no longer recorded.
auditd(1M), praudit(1M), auditon(2), execv(2), audit_class(4), audit_control(4), audit_event(4)
Trusted Solaris Audit Administration
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | EXIT STATUS | FILES | ATTRIBUTES | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO