How to Configure Audit Policy
Audit policy determines the characteristics of the audit records for the local host. When auditing is enabled, the contents of the /etc/security/audit_startup file determine the audit policy.
You can inspect and change the current audit policy options with the auditconfig command. You can also modify the policy options to the auditconfig command in the audit_startup script to make permanent audit policy changes.
-
Assume a role that includes the Audit Control profile, or become superuser.
To create a role that includes the Audit Control profile and to assign the role to a user, see Configuring RBAC (Task Map).
-
Before auditing is enabled, the contents of the audit_startup file determine the audit policy:
#! /bin/sh ... /usr/bin/echo "Starting BSM services." /usr/sbin/auditconfig -setpolicy +cnt Counts rather than drops records /usr/sbin/auditconfig -conf Configures event-class mappings /usr/sbin/auditconfig -aconf Configures nonattributable events
-
View the available policy options.
$ auditconfig -lspolicy
Note –The perzone and ahlt policy options can be set only in the global zone.
-
Enable or disable selected audit policy options.
# auditconfig -setpolicy prefixpolicy
- prefix
-
A prefix value of + enables the policy option. A prefix value of - disables the policy option.
- policy
-
Selects the policy to be enabled or to be disabled.
The policy is in effect until the next boot, or until the policy is modified by the auditconfig -setpolicy command.
For a description of each policy option, see Determining Audit Policy.
Example 30–16 Setting the cnt and ahlt Audit Policy Options
In this example, the cnt policy is disabled, and the ahlt policy is enabled. With these settings, system use is halted when the audit partitions are full and an asynchronous event occurs. When a synchronous event occurs, the process that created the thread hangs. These settings are appropriate when security is more important than availability.
The following audit_startup entries disable the cnt policy option and enable the ahlt policy option across reboots:
# cat /etc/security/audit_startup #!/bin/sh /usr/bin/echo "Starting BSM services." /usr/sbin/deallocate -Is /usr/sbin/auditconfig -conf /usr/sbin/auditconfig -aconf /usr/sbin/auditconfig -setpolicy -cnt /usr/sbin/auditconfig -setpolicy +ahlt |
Example 30–17 Setting the seq Audit Policy Temporarily
In this example, the auditd daemon is running and the ahlt audit policy has been set. The seq audit policy is added to the current policy. The seq policy adds a sequence token to every audit record. This is useful for debugging the auditing service when audit records are corrupted, or when records are being dropped.
The + prefix adds the seq option to the audit policy, rather than replaces the current audit policy with seq. The auditconfig command puts the policy in effect until the next invocation of the command, or until the next boot.
$ auditconfig -setpolicy +seq $ auditconfig -getpolicy audit policies = ahlt,seq |
Example 30–18 Setting the perzone Audit Policy
In this example, the perzone audit policy is set in the audit_startup script in the global zone. When a zone boots, the non-global zone collects audit records according to the audit configuration settings in its zone.
$ cat /etc/security/audit_startup #!/bin/sh /usr/bin/echo "Starting BSM services." /usr/sbin/deallocate -Is /usr/sbin/auditconfig -conf /usr/sbin/auditconfig -aconf /usr/sbin/auditconfig -setpolicy +perzone /usr/sbin/auditconfig -setpolicy +cnt |
Example 30–19 Changing an Audit Policy
In this example, the audit daemon is running and audit policy has been set. The auditconfig command changes the ahlt and cnt policies for the duration of the session. With these settings, audit records are dropped, but counted, when the audit file system is full. For restrictions on setting the ahlt policy, see Step 3.
$ auditconfig -setpolicy +cnt $ auditconfig -setpolicy -ahlt $ auditconfig -getpolicy audit policies = cnt,seq |
When the changes are put in the audit_startup file, the policies are permanently in effect:
$ cat /etc/security/audit_startup #!/bin/sh /usr/bin/echo "Starting BSM services." /usr/sbin/deallocate -Is /usr/sbin/auditconfig -conf /usr/sbin/auditconfig -aconf /usr/sbin/auditconfig -setpolicy +cnt |
The -ahlt option does not have to be specified in the file, because the ahlt policy option is disabled by default. This setting is appropriate when availability is more important than the security that audit records provide.
- © 2010, Oracle Corporation and/or its affiliates