This section provides an example of how you configure and implement Oracle Solaris auditing. The example assumes you have distributed the rights to manage auditing to different administrators.
The example begins with the configuration of different attributes of the service according to specific needs and requirements. After configuration is completed, the audit service is started to implement the configuration settings. Each time that you need to revise an existing audit configuration to accommodate new requirements, follow the same sequence of actions in this example.
Configure the audit parameters.
Refresh the audit service.
Verify the new audit configuration.
Add a temporary policy.
$ auditconfig -t -setpolicy +zonename $ auditconfig -getpolicy configured audit policies = ahlt,arge,argv,perzone active audit policies = ahlt,arge,argv,perzone,zonename
Specify the plugin attributes.
For the audit_binfile plugin, remove the qsize value.
$ auditconfig -getplugin audit_binfile Plugin: audit_binfile Attributes: p_dir=/audit/sys1.1,/var/audit; p_minfree=2;p_fsize=4G; Queue size: 200 $ auditconfig -setplugin audit_binfile "" 0 $ auditconfig -getplugin audit_binfile Plugin: audit_binfile Attributes: p_dir=/audit/sys1.1,/var/audit p_minfree=2;p_fsize=4G;
For the audit_syslog plugin, specify that the successful login and logout events and failed executables be sent to syslog. The qsize for this plugin is set to 150.
$ auditconfig -setplugin audit_syslog active p_flags=+lo,-ex 150 $ auditconfig -getplugin audit_syslog auditconfig -getplugin audit_syslog Plugin: audit_syslog Attributes: p_flags=+lo,-ex; Queue size: 150
Do not configure or use the audit_remote plugin.
Refresh the audit service and verify the configuration.
The temporary zonename policy is no longer set.
$ audit -s $ auditconfig -getpolicy configured audit policies = ahlt,arge,argv,perzone active audit policies = ahlt,arge,argv,perzone
The audit_binfile plugin does not have a specified queue size. The audit_syslog plugin has a specified queue size.
$ auditconfig -getplugin Plugin: audit_binfile Attributes: p_dir=/var/audit;p_fsize=4G;p_minfree=2; Plugin: audit_syslog Attributes: p_flags=+lo,-ex; Queue size: 150 ...