How to Lessen the Volume of Audit Records That Are Produced (System Administration Guide: Security Services)

System Administration Guide: Security Services

How to Lessen the Volume of Audit Records That Are Produced

After you have determined which events must be audited at your site, use the following suggestions to create manageable audit files.

Use the default audit policy.

Specifically, avoid adding events and audit tokens to the audit trail. The following policies affect the size of the audit trail.

arge policy – Adds environment variables to exec audit events.
argv policy – Adds command parameters to exec audit events.
public policy – If file events are being audited, adds an event to the audit trail every time an auditable event happens to a public file. File classes include fa, fc, fd, fm, fr, fw, and cl. For the definition of a public file, see Audit Terminology and Concepts.
path policy – Adds a path token to audit events that include an optional path token.
group policy – Adds a group token to audit events that include an optional newgroups token.
seq policy – Adds a sequence token to every audit event.
trail policy – Adds a trailer token to every audit event.
windata_down policy – On a system that is configured with Trusted Extensions, adds events when information in a labeled window is downgraded.
windata_up policy – On a system that is configured with Trusted Extensions, adds events when information in a labeled window is upgraded.
zonename policy – Adds the zone name to every audit event. If the global zone is the only configured zone, adds zone, global to every audit event.

The following audit record shows the use of the ls command. The ex class is being audited and the default policy is in use:

header,375,2,execve(2),,mach1,2009-08-06 11:19:57.388 -07:00
path,/usr/bin/ls
subject,jdoe,root,root,root,root,1401,737,0 0 mach1
return,success,0

The following is the same record when all policies are turned on:

header,375,2,execve(2),,mach1,2009-08-06 11:19:57.388 -07:00
path,/usr/bin/ls
attribute,100555,root,bin,136,432,0
exec_args,1,ls
exec_env,9,HOME=/,HZ=,LANG=C,LOGNAME=root,MAIL=/var/mail/root,PATH=/u
sr/sbin:/usr/bin,SHELL=/sbin/sh,TERM=xterm,TZ=US/Pacific
path,/lib/ld.so.1
attribute,100755,root,bin,136,4289,0
subject,jdoe,root,root,root,root,1401,737,0 0 mach1
group,root,other,bin,sys,adm,uucp,mail,tty,lp,nuucp,daemon
return,success,0
zone,global
sequence,313540
trailer,375

Use the audit_syslog.so plugin to send some audit events to syslog.

This strategy works only if you are not required to keep binary records of the audit events that you send to the syslog logs. By using the auditreduce command, you can then strip the binary files of these records, thus reducing the size of the binary files.

Use the audit_user file to audit events for specific users and roles.

Reduce the amount of auditing for all users by reducing the number of audit classes in the audit_control file. In the audit_user file, add audit classes for specific users and roles.

Create your own customized audit class.

You can create audit classes at your site. Into these classes, put all the audit events that you need to monitor. For the procedure, see How to Add an Audit Class.

Note –
If you modify existing audit class assignments, your modifications might be lost when you upgrade to a newer version of the Solaris OS. Carefully review the install logs.