Setting Audit Policies
You can use auditconfig with the -setpolicy flag to change the default Solaris-BSM audit policies. The auditconfig command with the -lspolicy argument shows the audit policies that you can change. The policy flags are described below.
- arge
-
Record the environment and arguments on execv (see the exec(2) man page). The default is not to record these.
- argv
-
Record command-line arguments to execv. The default is not to record these.
- cnt
-
Do not suspend auditable actions when the queue is full; just count how many audit records are dropped. The default is suspend.
- group
-
Include the supplementary groups token in audit records. The default is that group token is not included.
- path
-
Add secondary path tokens to audit record. These secondary paths are typically the path names of dynamically linked shared libraries or command interpreters for shell scripts. By default they are not included.
- trail
-
Include the trailer token in all records. The default is that the trailer token is not recorded.
- seq
-
Include a sequence number in every audit record. The default is to not include. (The sequence number could be used to analyze a crash dump to find out whether any audit records are lost.)
How to Change Which Events Are in Which Audit Classes
This procedure describes how to modify the default event to class mappings.
- © 2010, Oracle Corporation and/or its affiliates