arge
|
When disabled, this policy omits environment
variables of an executed program script from the exec audit
record.
When enabled, this policy adds the environment variables
of an executed program script to the exec audit record.
The resulting audit records contain much more detail than when this policy
is disabled.
|
The disabled option
collects much less information than the enabled option.
The enabled
option makes sense when you are auditing a few users, or when you have suspicions
about the environment variables that are being used in exec
programs.
|
argv
|
When disabled, this policy omits the arguments
of an executed program script from the exec audit record.
When enabled, this policy adds the arguments of an executed program
script to the exec audit record. The resulting audit records
contain much more detail than when this policy is disabled.
|
The disabled option collects much less information than the enabled
option.
The enabled option makes sense when you are auditing a
few users, or when you have reason to believe that unusual exec
programs are being run.
|
cnt
|
When disabled, this policy blocks a user or
application when audit records can not be added to the audit trail because
no disk space is available.
When enabled, this policy allows
the event to complete without an audit record being generated. A count of
audit records that are dropped is maintained.
|
The disabled option makes sense in an environment where security is paramount.
The enabled option makes sense when system availability is more
important than security.
|
group
|
When disabled, this policy does not add a
groups list to audit records.
When enabled, this policy adds a
groups list to every audit record as a special token.
|
The disabled
option usually satisfies requirements for site security.
The enabled
option makes sense when you need to audit which groups are generating auditable
events.
|
path
|
When disabled, this policy records in an audit
record at most one path that is used during a system call.
When
enabled, this policy records every path that is used in conjunction with an
audit event to every audit record.
|
The disabled option places at most one path in an audit record.
The enabled option enters each file name or path that is used during a system
call in the audit record as a path token.
|
seq
|
When disabled, this policy does not number
the audit records in sequence.
When enabled, this policy adds
a sequence number (seq token) to every audit record.
|
The disabled option is sufficient when auditing is running smoothly.
The enabled option makes sense when you are checking that audit files are
being written correctly. In the case of file corruption (for example, a partially
written audit record), you may be able to spot bad records faster if the sequence
numbers are out of order or if some numbers are missing.
|
trail
|
When disabled, this policy does not add a
trailer token to audit records.
When enabled, this policy adds
a trailer token to every audit record.
|
The disabled
option creates a smaller audit record.
The enabled option marks
the end of each audit record clearly with a trailer token. The trailer token
is often used in conjunction with the sequence token when debugging. In the
case of file corruption (for example, a partially written audit record), the auditreduce command resyncs faster on good records.
|