You might change default audit policy to record detailed information about audited commands, to add a zone name to every record, or to satisfy other site security requirements.
Before You Begin
You must become an administrator who is assigned the Audit Configuration rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
$ auditconfig -getpolicy configured audit policies = argv,cnt active audit policies = argv,cnt
For an explanation of the output, see Displaying Audit Service Defaults.
$ auditconfig -lspolicy policy string description: ahlt halt machine if it can not record an async event all all policies for the zone arge include exec environment args in audit recs argv include exec command line args in audit recs cnt when no more space, drop recs and keep a cnt group include supplementary groups in audit recs none no policies path allow multiple paths per event perzone use a separate queue and auditd per zone public audit public files seq include a sequence number in audit recs trail include trailer token in audit recs windata_down include downgraded window information in audit recs windata_up include upgraded window information in audit recs zonename include zonename token in audit recs
# auditconfig [ -t ] -setpolicy [prefix]policy[,policy...]
Optional. Creates a temporary, or active, policy. You might set a temporary policy for debugging or testing purposes.
A temporary policy is in effect until the audit service is refreshed, or until the policy is modified by the auditconfig -setpolicy command, or the system is rebooted.
A prefix value of + adds the list of policies to the current policy. A prefix value of - removes the list of policies from the current policy. Without a prefix, the audit policy is reset. This option enables you to retain current audit policies.
Selects the policy to be enabled or to be disabled.
In this example, strict site security requires the ahlt policy.
# auditconfig -setpolicy -cnt # auditconfig -setpolicy +ahlt
The plus sign (+) before the ahlt policy adds the policy to current policy settings. Without the plus sign, the ahlt policy replaces all current audit policies.Example 11 Setting a Temporary Audit Policy
In this example, the ahlt audit policy is configured. For debugging, the administrator adds the trail audit policy to the active policy (+trail) temporarily (–t). The trail policy aids in the recovery of damaged audit trails.
$ auditconfig -setpolicy ahlt $ auditconfig -getpolicy configured audit policies = ahlt active audit policies = ahlt $ auditconfig -t -setpolicy +trail $ auditconfig -getpolicy configured audit policies = ahlt active audit policies = ahlt,trail
The administrator disables the trail policy when the debugging is completed.
$ auditconfig -setpolicy -trail $ auditconfig -getpolicy configured audit policies = ahlt active audit policies = ahlt
Refreshing the audit service by running the audit -s command also removes this temporary policy, plus any other temporary values in the audit service. For examples of other temporary values, see How to Change Audit Queue Controls.Example 12 Setting the perzone Audit Policy
In this example, the perzone audit policy is added to the existing policy in the global zone. The perzone policy setting is stored as a permanent property, so perzone policy is in effect during the session and when the audit service is restarted. For the zones, the policy is available at the next zone boot, or when the administrator runs zlogin and then runs the audit –s command.
$ auditconfig -getpolicy configured audit policies = cnt active audit policies = cnt $ auditconfig -setpolicy +perzone $ auditconfig -getpolicy configured audit policies = perzone,cnt active audit policies = perzone,cntExample 13 Collecting Audit Records for External Auditors
In this example, the administrator is collecting audit records to satisfy external auditors' requirements. The administrator decides to use an Audit Remote Server (ARS) to collect information about administrative activities. The administrator also collects actions that cannot be attributed to a user, such as booting.
The administrator sets up ARS. In addition to auditing the cusa class, the administrator adds policies to the audit configuration.
# auditconfig -setflags cusa user default audit flags = ex,xa,ua,as,ss,ap,lo,ft(0x80475080,0x80475080) # auditconfig -setpolicy ahlt,argv,arge # auditconfig -getpolicy configured audit policies = ahlt,arge,argv active audit policies = ahlt,arge,argv # auditconfig -setnaflags lo,na non-attributable audit flags = lo,na(0x1400,0x1400)
When the administrator enables the audit_remote plugin and refreshes the audit service, the records are collected.