Determining Which Audit Policies to Use (System Administration Guide: Security Services)

System Administration Guide: Security Services

Determining Which Audit Policies to Use

Audit policies refer to the auditing options that are enabled or disabled for a particular configuration. You can inspect, enable, or disable the current audit policy with the auditon system call at the program level. Or, to do the same task you can run the auditconfig command.

By default, all audit policies are disabled. You need to enable any audit policies that you want to use.

The audit policies are disabled by default to minimize storage requirements and system processing demands. You can enable audit policies, and disable them dynamically. Use the following table to determine if the needs of your site justify the additional overhead that results from enabling one or more audit policies.

Policy Name	Description	Why Change the Policy?
`arge`	When disabled, this policy omits environment variables of an executed program script from the `exec` audit record. When enabled, this policy adds the environment variables of an executed program script to the `exec` audit record. The resulting audit records contain much more detail than when this policy is disabled.	The disabled option collects much less information than the enabled option. The enabled option makes sense when you are auditing a few users, or when you have suspicions about the environment variables that are being used in `exec` programs.
`argv`	When disabled, this policy omits the arguments of an executed program script from the `exec` audit record. When enabled, this policy adds the arguments of an executed program script to the `exec` audit record. The resulting audit records contain much more detail than when this policy is disabled.	The disabled option collects much less information than the enabled option. The enabled option makes sense when you are auditing a few users, or when you have reason to believe that unusual `exec` programs are being run.
`cnt`	When disabled, this policy blocks a user or application when audit records can not be added to the audit trail because no disk space is available. When enabled, this policy allows the event to complete without an audit record being generated. A count of audit records that are dropped is maintained.	The disabled option makes sense in an environment where security is paramount. The enabled option makes sense when system availability is more important than security.
`group`	When disabled, this policy does not add a groups list to audit records. When enabled, this policy adds a groups list to every audit record as a special token.	The disabled option usually satisfies requirements for site security. The enabled option makes sense when you need to audit which groups are generating auditable events.
`path`	When disabled, this policy records in an audit record at most one path that is used during a system call. When enabled, this policy records every path that is used in conjunction with an audit event to every audit record.	The disabled option places at most one path in an audit record. The enabled option enters each file name or path that is used during a system call in the audit record as a path token.
`seq`	When disabled, this policy does not number the audit records in sequence. When enabled, this policy adds a sequence number (`seq` token) to every audit record.	The disabled option is sufficient when auditing is running smoothly. The enabled option makes sense when you are checking that audit files are being written correctly. In the case of file corruption (for example, a partially written audit record), you may be able to spot bad records faster if the sequence numbers are out of order or if some numbers are missing.
`trail`	When disabled, this policy does not add a trailer token to audit records. When enabled, this policy adds a `trailer` token to every audit record.	The disabled option creates a smaller audit record. The enabled option marks the end of each audit record clearly with a trailer token. The trailer token is often used in conjunction with the sequence token when debugging. In the case of file corruption (for example, a partially written audit record), the `auditreduce` command resyncs faster on good records.

Policy Name

Description

Why Change the Policy?

arge

When disabled, this policy omits environment variables of an executed program script from the exec audit record.

When enabled, this policy adds the environment variables of an executed program script to the exec audit record. The resulting audit records contain much more detail than when this policy is disabled.

The disabled option collects much less information than the enabled option.

The enabled option makes sense when you are auditing a few users, or when you have suspicions about the environment variables that are being used in exec programs.

argv

When disabled, this policy omits the arguments of an executed program script from the exec audit record.

When enabled, this policy adds the arguments of an executed program script to the exec audit record. The resulting audit records contain much more detail than when this policy is disabled.

The disabled option collects much less information than the enabled option.

The enabled option makes sense when you are auditing a few users, or when you have reason to believe that unusual exec programs are being run.

cnt

When disabled, this policy blocks a user or application when audit records can not be added to the audit trail because no disk space is available.

When enabled, this policy allows the event to complete without an audit record being generated. A count of audit records that are dropped is maintained.

The disabled option makes sense in an environment where security is paramount.

The enabled option makes sense when system availability is more important than security.

group

When disabled, this policy does not add a groups list to audit records.

When enabled, this policy adds a groups list to every audit record as a special token.

The disabled option usually satisfies requirements for site security.

The enabled option makes sense when you need to audit which groups are generating auditable events.

path

When disabled, this policy records in an audit record at most one path that is used during a system call.

When enabled, this policy records every path that is used in conjunction with an audit event to every audit record.

The disabled option places at most one path in an audit record.

The enabled option enters each file name or path that is used during a system call in the audit record as a path token.

seq

When disabled, this policy does not number the audit records in sequence.

When enabled, this policy adds a sequence number (seq token) to every audit record.

The disabled option is sufficient when auditing is running smoothly.

The enabled option makes sense when you are checking that audit files are being written correctly. In the case of file corruption (for example, a partially written audit record), you may be able to spot bad records faster if the sequence numbers are out of order or if some numbers are missing.

trail

When disabled, this policy does not add a trailer token to audit records.

When enabled, this policy adds a trailer token to every audit record.

The disabled option creates a smaller audit record.

The enabled option marks the end of each audit record clearly with a trailer token. The trailer token is often used in conjunction with the sequence token when debugging. In the case of file corruption (for example, a partially written audit record), the auditreduce command resyncs faster on good records.