|
|
|
|
This policy applies to asynchronous events only. When disabled, this policy allows the event
to complete without an audit record being generated.
When enabled, this policy stops the system when the audit queue is full. Administrative
intervention is required to clean up the audit queue, make space available for audit records, and
reboot. This policy can be enabled only in the global zone. The policy affects all zones.
|
The disabled option is preferable when system availability is more important than
security.
|
|
When disabled, this policy omits environment variables of an executed program from the
execve audit record.
When enabled, this policy adds the environment variables of an executed program to the
execve audit record. The resulting audit records contain much more detail than
when this policy is disabled.
|
The enabled option is preferable when you are auditing a few users. The option is also useful
when you are unsure about the environment variables that are being used in programs in the
ex audit class.
|
|
When disabled, this policy omits the arguments of an executed program from the
execve audit record.
When enabled, this policy adds the arguments of an executed program to the
execve audit record. The resulting audit records contain much more detail than
when this policy is disabled.
|
The enabled option is preferable when you are auditing a few users. The option is also useful
when you have reason to believe that unusual programs in the ex audit class are
being run.
|
|
When disabled, this policy blocks a user or application from running. The blocking happens
when audit records cannot be added to the audit trail because the audit queue is full.
When enabled, this policy allows the event to complete without an audit record being
generated. The policy maintains a count of audit records that are dropped.
|
The disabled option is preferable in an environment where security is paramount.
|
|
When disabled, this policy does not add a groups list to audit records.
When enabled, this policy adds a groups list to every audit record as a special
token.
|
The disabled option usually satisfies requirements for site security.
The enabled option is preferable when you need to audit the supplemental groups to which the
subject belongs to.
|
|
When disabled, this policy records in an audit record at most one path that is used during a
system call.
When enabled, this policy records every path that is used in conjunction with an audit event
to every audit record.
|
The disabled option places at most one path in an audit record.
The enabled option enters each file name or path that is used during a system call in the
audit record as a path token.
|
|
When disabled, this policy maintains a single audit configuration for a system. One audit
service runs in the global zone. Audit events in specific zones can be located in the audit record
if the zonename audit token was preselected.
When enabled, this policy maintains a separate audit configuration, audit queue, and audit
logs for each zone. An audit service runs in each zone. This policy can be enabled in the global
zone only.
|
The disabled option is useful when you have no special reason to maintain a separate audit
log, queue, and daemon for each zone.
The enabled option is useful when you cannot monitor your system effectively by simply
examining audit records with the zonename audit token.
|
|
When disabled, this policy does not add read-only events of public objects to the audit trail
when the reading of files is preselected. Audit classes that contain read-only events include
fr, fa, and cl.
When enabled, this policy records every read-only audit event of public objects if an
appropriate audit class is preselected.
|
The disabled option usually satisfies requirements for site security.
The enabled option is rarely useful.
|
|
When disabled, this policy does not add a sequence number to every audit record.
When enabled, this policy adds a sequence number to every audit record. The
sequence token holds the sequence number.
|
The disabled option is sufficient when auditing is running smoothly.
The enabled option is preferable when the cnt policy is enabled. The
seq policy enables you to determine when data was discarded. Alternatively, you
can use the auditstat command to view dropped records.
|
|
When disabled, this policy does not add a trailer token to audit
records.
When enabled, this policy adds a trailer token to every audit
record.
|
The disabled option creates a smaller audit record.
The enabled option clearly marks the end of each audit record with a
trailer token. The trailer token is often used with the
sequence token. The trailer token aids in the recovery of
damaged audit trails.
|
|
When disabled, this policy does not include a zonename token in audit
records.
When enabled, this policy includes a zonename token in every audit
record.
|
The disabled option is useful when you do not need to track audit behavior per zone.
The enabled option is useful when you want to isolate and compare audit behavior across zones
by post-selecting records according to zone.
|