How to Prevent the Auditing of Specific Events - Managing Auditing in Oracle® Solaris 11.2

Managing Auditing in Oracle^® Solaris 11.2

Exit Print View

» ...Documentation Home » Oracle Solaris 11.2 Information Library » Managing Auditing in Oracle^® ... » Managing the Audit Service » Customizing What Is Audited » How to Prevent the Auditing of Specific Events

Updated: July 2014

Managing Auditing in Oracle^® Solaris 11.2

Document Information

Using This Documentation

Chapter 1 About Auditing in Oracle Solaris

Chapter 2 Planning for Auditing

Chapter 3 Managing the Audit Service

Default Configuration of the Audit Service

Displaying Audit Service Defaults

Enabling and Disabling the Audit Service

Configuring the Audit Service

How to Preselect Audit Classes

How to Configure a User's Audit Characteristics

How to Change Audit Policy

How to Change Audit Queue Controls

How to Configure the audit_warn Email Alias

How to Add an Audit Class

How to Change an Audit Event's Class Membership

Customizing What Is Audited

How to Audit All Commands by Users

How to Find Audit Records of Changes to Specific Files

How to Update the Preselection Mask of Logged In Users

How to Prevent the Auditing of Specific Events

How to Compress Audit Files on a Dedicated File System

How to Audit FTP and SFTP File Transfers

Configuring the Audit Service in Zones

How to Configure All Zones Identically for Auditing

How to Configure Per-Zone Auditing

Example: Configuring Oracle Solaris Auditing

Chapter 4 Monitoring System Activities

Chapter 5 Working With Audit Data

Chapter 6 Analyzing and Resolving Audit Service Issues

Chapter 7 Auditing Reference

Security Glossary

Language:

How to Prevent the Auditing of Specific Events

For maintenance purposes, sometimes a site wants to prevent events from being audited.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

Change the class of the event to the no class.

Note - For information about the effects of modifying an audit configuration file, see Audit Configuration Files and Packaging.

For example, events 26 and 27 belong to the pm class.

## audit_event file
...
25:AUE_VFORK:vfork(2):ps
26:AUE_SETGROUPS:setgroups(2):pm
27:AUE_SETPGRP:setpgrp(2):pm
28:AUE_SWAPON:swapon(2):no
...

Change these events to the no class.

## audit_event file
...
25:AUE_VFORK:vfork(2):ps
26:AUE_SETGROUPS:setgroups(2):no
27:AUE_SETPGRP:setpgrp(2):no
28:AUE_SWAPON:swapon(2):no
...

If the pm class is currently being audited, existing sessions will still audit events 26 and 27. To stop these events from being audited, you must update the users' preselection masks by following the instructions in How to Update the Preselection Mask of Logged In Users.

Caution

Caution - Never comment out events in the audit_event file. This file is used by the praudit command to read binary audit files. Archived audit files might contain events that are listed in the file.

Refresh the kernel events.

# auditconfig -conf
Configured 283 kernel events.

Copyright © 2002, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices