Go to main content

Managing Auditing in Oracle® Solaris 11.4

Exit Print View

Updated: February 2019
 
 

How to Preselect Audit Classes

You can preselect audit classes that contain the events that you want to monitor. Events that are not in preselected classes are not recorded.

Before You Begin

You must become an administrator who is assigned the Audit Configuration rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Determine the current preselected classes.
    $ pfbash ; auditconfig -getflags
    ...
    $ auditconfig -getnaflags
    ,,,

    For an explanation of the output, see Displaying Audit Service Defaults.

  2. Preselect the attributable classes.

    For example, the following command audits the events in the login/logout, process start/stop, and file write classes for success and for failure.

    $ auditconfig -setflags lo,ps,fw
    user default audit flags = ps,lo,fw(0x101002,0x101002)

    Note -  The auditconfig -setflags command replaces the current preselection, so you must specify all classes that you want to preselect.
  3. Preselect the non-attributable classes.

    The na class contains PROM, boot, and non-attributable mounts, among other events.

    $ auditconfig -setnaflags lo,na
    non-attributable audit flags = lo,na(0x1400,0x1400)

    lo and na are the only useful arguments to the –setnaflags option.


    Note -  The auditconfig -setnaflags command replaces the current preselection, so you must specify all classes that you want to preselect.