|
arge
|
When disabled, this policy omits environment variables of an
executed program script from the exec audit record.
When enabled, this policy adds the environment variables of an executed program script to the exec audit record. The resulting audit records contain much more detail than when this policy is disabled.
|
The disabled option collects much less information than the enabled option.
The enabled option makes sense when you are auditing a few users. The option is also useful when you have suspicions about the environment variables that are
being used in exec programs.
|
|
argv
|
When disabled, this policy omits the arguments of an executed
program script from the exec audit record.
When enabled, this policy adds the arguments of an executed program script to the exec audit record. The resulting audit records contain much more detail than when this policy is disabled.
|
The disabled option collects much less information than the enabled option.
The enabled option makes sense when you are auditing a few users. The option is also useful when you have reason to believe that unusual exec programs are being
run.
|
|
cnt
|
When disabled, this policy blocks a user or application from running.
The blocking happens when audit records cannot be added to the audit trail because no disk space is available.
When enabled, this policy allows the event to complete without an audit record being generated. The policy maintains a count of audit records that are dropped.
|
The disabled option makes sense in an environment where security is paramount.
The enabled option makes sense when system availability is more important than security.
|
|
group
|
When disabled, this policy does not add a groups list to audit
records.
When enabled, this policy adds a groups list to every audit record as a special token.
|
The disabled option usually satisfies requirements for site security.
The enabled option makes sense when you need to audit which groups are generating auditable events.
|
|
path
|
When disabled, this policy records in an audit record at most
one path that is used during a system call.
When enabled, this policy records every path that is used in conjunction with an audit event to every audit record.
|
The disabled option places at most one path in an audit record.
The enabled option enters each file name or path that is used during a system call in the audit record as a path token.
|
|
public
|
New in the Solaris 9 8/03 release.
When disabled, this policy does not add read-only events of public objects to the audit trail when the reading of files is preselected. Audit flags that contain read-only events include fr, fa, and cl.
When enabled, this policy records
every read-only audit event of public objects if an appropriate audit flag is preselected.
|
The disabled option usually satisfies requirements for site security.
The enabled option is rarely useful.
|
|
seq
|
When disabled, this policy does not add a sequence number to every
audit record.
When enabled, this policy adds a sequence number to every audit record. The seq token holds the sequence number.
|
The disabled option is sufficient when auditing is running smoothly.
The enabled option makes sense when you are checking that audit files are being written correctly. In the case of file corruption, you might be able to spot bad records quickly.
The sequence numbers might be out of order, or some numbers might be missing. A partially written audit record is an example of file corruption.
|
|
trail
|
When disabled, this policy does not add a trailer token to audit records.
When enabled, this policy adds a trailer token to every audit record.
|
The disabled option creates a smaller audit record.
The enabled option marks the end of each audit record clearly with a trailer token. The trailer token is often used in conjunction with the sequence token when debugging. In the case of file corruption , the auditreduce command resyncs faster on good records. A partially written audit record is an example of file corruption.
|
