System Administration Guide: Security Services

ProcedureHow to Modify the audit_control File

The /etc/security/audit_control file configures system-wide auditing. The file determines which events are audited, when audit warnings are issued, and the location of the audit files.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. (Optional) Save a backup copy of the audit_control file.


    # cp /etc/security/audit_control /etc/security/audit_control.orig
    
  3. Modify the audit_control file for your site.

    Each entry has the following format:


    keyword:value
    
    keyword

    Defines the type of line. The types are dir, flags, minfree, naflags, and plugin. In the Solaris 10 release, the dir and minfree lines are deprecated.

    For explanations of the keywords, see the following examples.

    value

    Specifies data that is associated with the line type.


    Note –

    To specify the locations of audit directories, use the p_dir attribute to the audit_binfile.so plugin. To specify the minimum free space, use the p_minfree attribute.


  4. (Optional) Verify the syntax of the file.


    # audit -v /etc/security/audit_control
    syntax ok

Example 30–1 Preselecting Audit Classes for All Users

The flags line in the audit_control file defines which classes of attributable events are audited for all users on the system. The classes are separated by commas. White space is allowed. In this example, the events in the lo and ap classes are audited for all users.


## audit_control file
flags:lo,ap
naflags:lo
plugin:name=...

To see which events are assigned to a class, read the audit_event file. You can also use the bsmrecord command, as shown in Example 30–27.



Example 30–2 Preselecting Nonattributable Events

In this example, all events in the na class, and all login events that are not attributable, are audited.


## audit_control file
flags:lo
naflags:lo,na
plugin:name=...


Example 30–3 Specifying the Location of Binary Audit Data

The p_dir flag to the audit_binfile.so plugin lists which audit file systems to use for binary audit data. In this example, three locations for binary audit data are defined. The directories are listed in order from the primary directory to the directory of last resort. The plugin line does not contain a line break.


## audit_control file
##
flags:lo
naflags:lo,na
plugin:name=audit_binfile.so; p_dir=/var/audit/egret.1/files,
/var/audit/egret.2/files,/var/audit

To set up file systems to hold audit binary audit data, see How to Create Partitions for Audit Files.



Example 30–4 Changing the Soft Limit for Warnings

In this example, the minimum free-space level for all audit file systems is set so that a warning is issued when only 10 percent of the file system is available.

The plugin line does not contain a line break.


## audit_control file
#
flags:lo
naflags:lo,na
plugin:name=audit_binfile.so; p_dir=/var/audit/examplehost.1/files,
/var/audit/examplehost.2/files,/var/audit/localhost/files; p_minfree=10

The audit_warn alias receives the warning. To set up the alias, see How to Configure the audit_warn Email Alias.