The /etc/security/audit_control file configures system-wide auditing. The file determines which events are audited, when audit warnings are issued, and the location of the audit files.
Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
(Optional) Save a backup copy of the audit_control file.
# cp /etc/security/audit_control /etc/security/audit_control.orig |
Modify the audit_control file for your site.
Each entry has the following format:
keyword:value |
Defines the type of line. The types are flags, naflags, and plugin.
For explanations of the keywords, see the following examples.
Specifies data that is associated with the line type.
To specify the locations of audit directories, use the p_dir attribute to the audit_binfile.so plugin. To specify the minimum free space, use the p_minfree attribute.
(Optional) Verify the syntax of the file.
# audit -v /etc/security/audit_control syntax ok |
The flags line in the audit_control file defines which classes of attributable events are audited for all users on the system. The classes are separated by commas. White space is allowed. In this example, the events in the lo and ap classes are audited for all users.
## audit_control file flags:lo,ap naflags:lo plugin:name=... |
To see which events are assigned to a class, read the audit_event file. You can also use the auditrecordcommand, as shown in Example 30–24.
In this example, all events in the na class, and all login events that are not attributable, are audited.
## audit_control file flags:lo naflags:lo,na plugin:name=... |
The p_dir flag to the audit_binfile.so plugin lists which audit file systems to use for binary audit data. In this example, three locations for binary audit data are defined. The directories are listed in order from the primary directory to the directory of last resort. The plugin line does not contain a line break.
## audit_control file ## flags:lo naflags:lo,na plugin:name=audit_binfile.so; p_dir=/var/audit/egret.1/files, /var/audit/egret.2/files,/var/audit |
To set up file systems to hold audit binary audit data, see How to Create Partitions for Audit Files.
In this example, the minimum free-space level for all audit file systems is set so that a warning is issued when only 10 percent of the file system is available.
The plugin line does not contain a line break.
## audit_control file # flags:lo naflags:lo,na plugin:name=audit_binfile.so; p_dir=/var/audit/examplehost.1/files, /var/audit/examplehost.2/files,/var/audit/localhost/files; p_minfree=10 |
The audit_warn alias receives the warning. To set up the alias, see How to Configure the audit_warn Email Alias.