Managing Auditing in Oracle® Solaris 11.2

Exit Print View

 
Updated: July 2014
 
 

How to Change Audit Policy

You might change default audit policy to record detailed information about audited commands, to add a zone name to every record, or to satisfy other site security requirements.

Before You Begin

You must become an administrator who is assigned the Audit Configuration rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

  1. View the current audit policy. 
    $ auditconfig -getpolicy
...

    For an explanation of the output, see Displaying Audit Service Defaults.

  2. View the available policy options. 
    $ auditconfig -lspolicy
policy string    description:
ahlt             halt machine if it can not record an async event
all              all policies for the zone
arge             include exec environment args in audit recs
argv             include exec command line args in audit recs
cnt              when no more space, drop recs and keep a cnt
group            include supplementary groups in audit recs
none             no policies
path             allow multiple paths per event
perzone          use a separate queue and auditd per zone
public           audit public files
seq              include a sequence number in audit recs
trail            include trailer token in audit recs
windata_down     include downgraded window information in audit recs
windata_up       include upgraded window information in audit recs
zonename         include zonename token in audit recs
    Note -  The perzone and ahlt policy options can be set only in the global zone. For the trade-offs to using a particular policy option, see Understanding Audit Policy.
  3. Enable or disable selected audit policy options. 
    # auditconfig [ -t ] -setpolicy [prefix]policy[,policy...]
    –t

    Optional. Creates a temporary, or active, policy. You might set a temporary policy for debugging or testing purposes.

    A temporary policy is in effect until the audit service is refreshed, or until the policy is modified by the auditconfig -setpolicy command.

    prefix

    A prefix value of + adds the list of policies to the current policy. A prefix value of - removes the list of policies from the current policy. Without a prefix, the audit policy is reset. This option enables you to retain current audit policies.

    policy

    Selects the policy to be enabled or to be disabled.

Example 3-10  Setting the ahlt Audit Policy Option

In this example, strict site security requires the ahlt policy.

# auditconfig -setpolicy -cnt
# auditconfig -setpolicy +ahlt

The plus sign (+) before the ahlt policy adds the policy to current policy settings. Without the plus sign, the ahlt policy replaces all current audit policies.

Example 3-11  Setting a Temporary Audit Policy

In this example, the ahlt audit policy is configured. For debugging, the administrator adds the trail audit policy to the active policy (+trail) temporarily (–t). The trail policy aids in the recovery of damaged audit trails.

$ auditconfig -setpolicy ahlt
$ auditconfig -getpolicy
configured audit policies = ahlt
active audit policies = ahlt
$ auditconfig -t -setpolicy +trail
configured audit policies = ahlt
active audit policies = ahlt,trail

The administrator disables the trail policy when the debugging is completed.

$ auditconfig -setpolicy -trail
$ auditconfig -getpolicy
configured audit policies = ahlt
active audit policies = ahlt

Refreshing the audit service by running the audit -s command also removes this temporary policy, plus any other temporary values in the audit service. For examples of other temporary values, see How to Change Audit Queue Controls.

Example 3-12  Setting the perzone Audit Policy

In this example, the perzone audit policy is added to the existing policy in the global zone. The perzone policy setting is stored as a permanent property, so perzone policy is in effect during the session and when the audit service is restarted. For the zones, the policy is available at the next zone boot.

$ auditconfig -getpolicy
configured audit policies = cnt
active audit policies = cnt
$ auditconfig -setpolicy +perzone
$ auditconfig -getpolicy
configured audit policies = perzone,cnt
active audit policies = perzone,cnt
Example 3-13  Collecting Audit Records for External Auditors

In this example, the administrator is collecting audit records to satisfy external auditors' requirements. The administrator decides to use an Audit Remote Server (ARS) to collect information about administrative activities. The administrator also collects actions that cannot be attributed to a user, such as booting.

The administrator sets up ARS. In addition to auditing the cusa class, the administrator adds policies to the audit configuration.

# auditconfig -setflags cusa
user default audit flags = ex,xa,ua,as,ss,ap,lo,ft(0x80475080,0x80475080)
# auditconfig -setpolicy ahlt,argv,argeauditconfig # auditconfig -getpolicy
configured audit policies = ahlt,arge,argv
active audit policies = ahlt,arge,argv
# auditconfig -setnaflags lo,na
non-attributable audit flags = lo,na(0x1400,0x1400)

When the administrator enables the audit_remote plugin and refreshes the audit service, the records are collected.

Copyright © 2002, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous
Next