For maintenance purposes, sometimes you want to prevent user-level events from being audited. The event number must be greater than 2047.
Before You Begin
The root role can perform every task in this procedure.
If administrative rights are distributed in your organization, note the following:
An administrator who is assigned the solaris.admin.edit/etc/security/audit_event authorization can modify the file.
An administrator with the Audit Configuration rights profile can run the auditconfig command.
An administrator with the Service Configuration rights profile can run the svcadm command.
For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
For example, the *STAT events are kernel events. Events 6214 and 6215 belong to the user administration, ua, class.
## audit_event file ... 87:AUE_MSGCTL_STAT:msgctl(2) - IPC_STAT command:ip 94:AUE_SHMCTL_STAT:shmctl(2) - IPC_STAT command:ip 101:AUE_SEMCTL_STAT:semctl(2) - IPC_STAT command:ip ... 6214:AUE_kadmind_auth:authenticated kadmind request:ua 6215:AUE_kadmind_unauth:unauthenticated kadmind req:ua ...
Change these events to the no class.
## audit_event file ... 87:AUE_MSGCTL_STAT:msgctl(2) - IPC_STAT command:no 94:AUE_SHMCTL_STAT:shmctl(2) - IPC_STAT command:no 101:AUE_SEMCTL_STAT:semctl(2) - IPC_STAT command:no ... 6214:AUE_kadmind_auth:authenticated kadmind request:no 6215:AUE_kadmind_unauth:unauthenticated kadmind req:no ...
If the ip and ua classes are currently being audited, existing sessions will still audit these events. To stop these events from being audited, you must update the users' preselection masks by following the instructions in How to Update the Preselection Mask of Logged In Users.
Caution - Never comment out events in the audit_event file. This file is used by the praudit command to read binary audit files. Archived audit files might contain events that are listed in the file. |
$ pfexec auditconfig -conf Configured 283 kernel events.
$ pfexec svcadm refresh system/auditset:default
See Also