Managing Auditing in Oracle® Solaris 11.2

Exit Print View

Updated: July 2014

How to Change Audit Policy

You might change default audit policy to record detailed information about audited commands, to add a zone name to every record, or to satisfy other site security requirements.

Before You Begin

You must become an administrator who is assigned the Audit Configuration rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

  1. View the current audit policy.
    $ auditconfig -getpolicy

    For an explanation of the output, see Displaying Audit Service Defaults.

  2. View the available policy options.
    $ auditconfig -lspolicy
    policy string    description:
    ahlt             halt machine if it can not record an async event
    all              all policies for the zone
    arge             include exec environment args in audit recs
    argv             include exec command line args in audit recs
    cnt              when no more space, drop recs and keep a cnt
    group            include supplementary groups in audit recs
    none             no policies
    path             allow multiple paths per event
    perzone          use a separate queue and auditd per zone
    public           audit public files
    seq              include a sequence number in audit recs
    trail            include trailer token in audit recs
    windata_down     include downgraded window information in audit recs
    windata_up       include upgraded window information in audit recs
    zonename         include zonename token in audit recs

    Note -  The perzone and ahlt policy options can be set only in the global zone. For the trade-offs to using a particular policy option, see Understanding Audit Policy.
  3. Enable or disable selected audit policy options.
    # auditconfig [ -t ] -setpolicy [prefix]policy[,policy...]

    Optional. Creates a temporary, or active, policy. You might set a temporary policy for debugging or testing purposes.

    A temporary policy is in effect until the audit service is refreshed, or until the policy is modified by the auditconfig -setpolicy command.


    A prefix value of + adds the list of policies to the current policy. A prefix value of - removes the list of policies from the current policy. Without a prefix, the audit policy is reset. This option enables you to retain current audit policies.


    Selects the policy to be enabled or to be disabled.

Example 3-10  Setting the ahlt Audit Policy Option

In this example, strict site security requires the ahlt policy.

# auditconfig -setpolicy -cnt
# auditconfig -setpolicy +ahlt

The plus sign (+) before the ahlt policy adds the policy to current policy settings. Without the plus sign, the ahlt policy replaces all current audit policies.

Example 3-11  Setting a Temporary Audit Policy

In this example, the ahlt audit policy is configured. For debugging, the administrator adds the trail audit policy to the active policy (+trail) temporarily (–t). The trail policy aids in the recovery of damaged audit trails.

$ auditconfig -setpolicy ahlt
$ auditconfig -getpolicy
configured audit policies = ahlt
active audit policies = ahlt
$ auditconfig -t -setpolicy +trail
configured audit policies = ahlt
active audit policies = ahlt,trail

The administrator disables the trail policy when the debugging is completed.

$ auditconfig -setpolicy -trail
$ auditconfig -getpolicy
configured audit policies = ahlt
active audit policies = ahlt

Refreshing the audit service by running the audit -s command also removes this temporary policy, plus any other temporary values in the audit service. For examples of other temporary values, see How to Change Audit Queue Controls.

Example 3-12  Setting the perzone Audit Policy

In this example, the perzone audit policy is added to the existing policy in the global zone. The perzone policy setting is stored as a permanent property, so perzone policy is in effect during the session and when the audit service is restarted. For the zones, the policy is available at the next zone boot.

$ auditconfig -getpolicy
configured audit policies = cnt
active audit policies = cnt
$ auditconfig -setpolicy +perzone
$ auditconfig -getpolicy
configured audit policies = perzone,cnt
active audit policies = perzone,cnt
Example 3-13  Collecting Audit Records for External Auditors

In this example, the administrator is collecting audit records to satisfy external auditors' requirements. The administrator decides to use an Audit Remote Server (ARS) to collect information about administrative activities. The administrator also collects actions that cannot be attributed to a user, such as booting.

The administrator sets up ARS. In addition to auditing the cusa class, the administrator adds policies to the audit configuration.

# auditconfig -setflags cusa
user default audit flags = ex,xa,ua,as,ss,ap,lo,ft(0x80475080,0x80475080)
# auditconfig -setpolicy ahlt,argv,argeauditconfig # auditconfig -getpolicy
configured audit policies = ahlt,arge,argv
active audit policies = ahlt,arge,argv
# auditconfig -setnaflags lo,na
non-attributable audit flags = lo,na(0x1400,0x1400)

When the administrator enables the audit_remote plugin and refreshes the audit service, the records are collected.