Go to main content

Managing Auditing in Oracle® Solaris 11.3

Exit Print View

Updated: December 2018
 
 

Understanding Audit Policy

Audit policy determines the characteristics of the audit records for the local system. You use the auditconfig command to set these policies. For more information, see the auditconfig(1M) man page.

Most audit policy options are disabled by default to minimize storage requirements and system processing demands. These options are properties of the audit service and determine the policies that are in effect at system boot. For more information, see the auditconfig(1M) man page.

Use the following table to determine whether the needs of your site justify the additional overhead that results from enabling one or more audit policy options.

Table 3  Effects of Audit Policy Options
Policy Name
Description
Policy Considerations
ahlt
This policy applies to asynchronous events only. When disabled, this policy allows the event to complete without an audit record being generated.
When enabled, this policy stops the system when the audit queue is full. Administrative intervention is required to clean up the audit queue, make space available for audit records, and reboot. This policy can be enabled only in the global zone. The policy affects all zones.
The disabled option is preferable when system availability is more important than security.
The enabled option is preferable in an environment where security is paramount. For a fuller discussion, see Audit Policies for Asynchronous and Synchronous Events.
arge
When disabled, this policy omits environment variables of an executed program from the execve audit record.
When enabled, this policy adds the environment variables of an executed program to the execve audit record. The resulting audit records contain much more detail than when this policy is disabled.
The disabled option collects much less information than the enabled option. For a comparison, see How to Audit All Commands by Users.
The enabled option is preferable when you are auditing a few users. The option is also useful when you are unsure about the environment variables that are being used in programs in the ex audit class.
argv
When disabled, this policy omits the arguments of an executed program from the execve audit record.
When enabled, this policy adds the arguments of an executed program to the execve audit record. The resulting audit records contain much more detail than when this policy is disabled.
The disabled option collects much less information than the enabled option. For a comparison, see How to Audit All Commands by Users.
The enabled option is preferable when you are auditing a few users. The option is also useful when you have reason to believe that unusual programs in the ex audit class are being run.
cnt
When disabled, this policy blocks a user or application from running. The blocking happens when audit records cannot be added to the audit trail because the audit queue is full.
When enabled, this policy allows the event to complete without an audit record being generated. The policy maintains a count of audit records that are dropped.
The disabled option is preferable in an environment where security is paramount.
The enabled option is preferable when system availability is more important than security. For a fuller discussion, see Audit Policies for Asynchronous and Synchronous Events.
group
When disabled, this policy does not add a groups list to audit records.
When enabled, this policy adds a groups list to every audit record as a special token.
The disabled option usually satisfies requirements for site security.
The enabled option is preferable when you need to audit the supplemental groups to which the subject belongs to.
path
When disabled, this policy records in an audit record at most one path that is used during a system call.
When enabled, this policy records every path that is used in conjunction with an audit event to every audit record.
The disabled option places at most one path in an audit record.
The enabled option enters each file name or path that is used during a system call in the audit record as a path token.
perzone
When disabled, this policy maintains a single audit configuration for a system. One audit service runs in the global zone. Audit events in specific zones can be located in the audit record if the zonename audit token was preselected.
When enabled, this policy maintains a separate audit configuration, audit queue, and audit logs for each zone. An audit service runs in each zone. This policy can be enabled in the global zone only.
The disabled option is useful when you have no special reason to maintain a separate audit log, queue, and daemon for each zone.
The enabled option is useful when you cannot monitor your system effectively by simply examining audit records with the zonename audit token.
public
When disabled, this policy does not add read-only events of public objects to the audit trail when the reading of files is preselected. Audit classes that contain read-only events include fr, fa, and cl.
When enabled, this policy records every read-only audit event of public objects if an appropriate audit class is preselected.
The disabled option usually satisfies requirements for site security.
The enabled option is rarely useful.
seq
When disabled, this policy does not add a sequence number to every audit record.
When enabled, this policy adds a sequence number to every audit record. The sequence token holds the sequence number.
The disabled option is sufficient when auditing is running smoothly.
The enabled option is preferable when the cnt policy is enabled. The seq policy enables you to determine when data was discarded. Alternatively, you can use the auditstat command to view dropped records.
trail
When disabled, this policy does not add a trailer token to audit records.
When enabled, this policy adds a trailer token to every audit record.
The disabled option creates a smaller audit record.
The enabled option clearly marks the end of each audit record with a trailer token. The trailer token is often used with the sequence token. The trailer token aids in the recovery of damaged audit trails.
zonename
When disabled, this policy does not include a zonename token in audit records.
When enabled, this policy includes a zonename token in every audit record.
The disabled option is useful when you do not need to track audit behavior per zone.
The enabled option is useful when you want to isolate and compare audit behavior across zones by post-selecting records according to zone.