Go to main content

Managing Auditing in Oracle® Solaris 11.3

Exit Print View

Updated: October 2017
 
 

How to Prevent the Auditing of Specific Events

For maintenance purposes, sometimes you want to prevent events from being audited.


Note -  You cannot use this procedure on Oracle Solaris kernel events. However, you can use this procedure to allocate user level audit events with event numbers greater than 2047.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. Change the class of the event to the no class.

    Note -  For information about the effects of modifying an audit configuration file, see Audit Configuration Files and Packaging.

    For example, events 6214 and 6215 belong to the user administration, ua, class.

    ## audit_event file
    ...
    6214:AUE_kadmind_auth:authenticated kadmind request:ua
    6215:AUE_kadmind_unauth:unauthenticated kadmind req:ua
    
    ...

    Change these events to the no class.

    ## audit_event file
    ...
    6214:AUE_kadmind_auth:authenticated kadmind request:no
    6215:AUE_kadmind_unauth:unauthenticated kadmind req:no
    
    ...

    If the ua class is currently being audited, existing sessions will still audit events 6214 and 6215. To stop these events from being audited, you must update the users' preselection masks by following the instructions in How to Update the Preselection Mask of Logged In Users.


    Caution

    Caution  -  Never comment out events in the audit_event file. This file is used by the praudit command to read binary audit files. Archived audit files might contain events that are listed in the file.


  2. Refresh the kernel events.
    # auditconfig -conf
    Configured 283 kernel events.