|
|
|
|
This policy applies to asynchronous events only. When
disabled, this policy allows the event to complete without an audit record being
generated. When enabled, this policy stops the system when the audit queue is
full. Administrative intervention is required to clean up the audit queue, make space available
for audit records, and reboot. This policy can only be enabled in the
global zone. The policy affects all zones. |
|
|
When disabled,
this policy omits environment variables of an executed program from the execve audit
record. When enabled, this policy adds the environment variables of an executed program to
the execve audit record. The resulting audit records contain much more detail than
when this policy is disabled. |
The disabled option collects much less information than
the enabled option. For a comparison, see How to Audit All Commands by Users. The enabled option makes sense when
you are auditing a few users. The option is also useful when you
have suspicions about the environment variables that are being used in programs in
the ex audit class. |
|
When disabled, this policy omits the arguments of an
executed program from the execve audit record. When enabled, this policy adds the arguments
of an executed program to the execve audit record. The resulting audit records contain
much more detail than when this policy is disabled. |
The disabled option collects
much less information than the enabled option. For a comparison, see How to Audit All Commands by Users. The enabled
option makes sense when you are auditing a few users. The option is
also useful when you have reason to believe that unusual programs in the
ex audit class are being run. |
|
When disabled, this policy blocks a user
or application from running. The blocking happens when audit records cannot be added
to the audit trail because the audit queue is full. When enabled, this policy
allows the event to complete without an audit record being generated. The policy
maintains a count of audit records that are dropped. |
|
|
When disabled,
this policy does not add a groups list to audit records. When enabled, this
policy adds a groups list to every audit record as a special token. |
The
disabled option usually satisfies requirements for site security. The enabled option makes sense
when you need to audit which supplemental groups the subject belongs to. |
|
When disabled,
this policy records in an audit record at most one path that is
used during a system call. When enabled, this policy records every path that
is used in conjunction with an audit event to every audit record. |
The disabled
option places at most one path in an audit record. The enabled option
enters each file name or path that is used during a system call
in the audit record as a path token. |
|
When disabled, this policy maintains
a single audit configuration for a system. One audit service runs in the
global zone. Audit events in specific zones can be located in the audit
record if the zonename audit token was preselected. When enabled, this policy maintains a
separate audit configuration, audit queue, and audit logs for each zone. An audit
service runs in each zone. This policy can be enabled in the
global zone only. |
The disabled option is useful when you have no special
reason to maintain a separate audit log, queue, and daemon for each zone. The
enabled option is useful when you cannot monitor your system effectively by simply
examining audit records with the zonename audit token. |
|
When disabled, this policy does not
add read-only events of public objects to the audit trail when the reading
of files is preselected. Audit classes that contain read-only events include fr, fa, and
cl. When enabled, this policy records every read-only audit event of public objects if an
appropriate audit class is preselected. |
The disabled option usually satisfies requirements for site
security. The enabled option is rarely useful. |
|
When disabled, this policy does not add
a sequence number to every audit record. When enabled, this policy adds a sequence number
to every audit record. The sequence token holds the sequence number. |
The disabled
option is sufficient when auditing is running smoothly. The enabled option makes sense
when the cnt policy is enabled. The seq policy enables you to determine
when data was discarded. Alternatively, you can use the auditstat command to view dropped
records. |
|
When disabled, this policy does not add a trailer token to audit records. When enabled,
this policy adds a trailer token to every audit record. |
The disabled option creates
a smaller audit record. The enabled option clearly marks the end of each
audit record with a trailer token. The trailer token is often used with
the sequence token. The trailer token aids in the recovery of damaged audit
trails. |
|
When disabled, this policy does not include a zonename token in audit records. When
enabled, this policy includes a zonename token in every audit record. |
The disabled option
is useful when you do not need to track audit behavior per zone. The
enabled option is useful when you want to isolate and compare audit behavior
across zones by post-selecting records according to zone. |