System Administration Guide: Security Services
Previous Next

Determining Audit Policy

Audit policy determines the characteristics of the audit records for the local system. The policy options are set by a startup script. The bsmconv script, which enables the auditing service, creates the /etc/security/audit_startup script. The audit_startup script executes the auditconfig command to establish audit policy. For details about the script, see the audit_startup(1M) man page.

Most audit policy options are disabled by default to minimize storage requirements and system processing demands. You can dynamically enable and disable audit policy options with the auditconfig command. You can permanently enable and disable the policy options with the audit_startup script.

Use the following table to determine if the needs of your site justify the additional overhead that results from enabling one or more audit policy options.

Table 29-1 Effects of Audit Policy Options

Policy Name

Description

Why Change the Policy Option?

ahlt

This policy applies to asynchronous events only. When disabled, this policy allows the event to complete without an audit record being generated.

When enabled, this policy stops the system when the audit file systems are full. Administrative intervention is required to clean up the audit queue, make space available for audit records, and reboot. This policy can only be enabled in the global zone. The policy affects all zones.

The disabled option makes sense when system availability is more important than security.

The enabled option makes sense in an environment where security is paramount.

arge

When disabled, this policy omits environment variables of an executed program from the exec audit record.

When enabled, this policy adds the environment variables of an executed program to the exec audit record. The resulting audit records contain much more detail than when this policy is disabled.

The disabled option collects much less information than the enabled option.

The enabled option makes sense when you are auditing a few users. The option is also useful when you have suspicions about the environment variables that are being used in exec programs.

argv

When disabled, this policy omits the arguments of an executed program from the exec audit record.

When enabled, this policy adds the arguments of an executed program to the exec audit record. The resulting audit records contain much more detail than when this policy is disabled.

The disabled option collects much less information than the enabled option.

The enabled option makes sense when you are auditing a few users. The option is also useful when you have reason to believe that unusual exec programs are being run.

cnt

When disabled, this policy blocks a user or application from running. The blocking happens when audit records cannot be added to the audit trail because no disk space is available.

When enabled, this policy allows the event to complete without an audit record being generated. The policy maintains a count of audit records that are dropped.

The disabled option makes sense in an environment where security is paramount.

The enabled option makes sense when system availability is more important than security.

group

When disabled, this policy does not add a groups list to audit records.

When enabled, this policy adds a groups list to every audit record as a special token.

The disabled option usually satisfies requirements for site security.

The enabled option makes sense when you need to audit which groups are generating audit events.

path

When disabled, this policy records in an audit record at most one path that is used during a system call.

When enabled, this policy records every path that is used in conjunction with an audit event to every audit record.

The disabled option places at most one path in an audit record.

The enabled option enters each file name or path that is used during a system call in the audit record as a path token.

perzone

When disabled, this policy maintains a single audit configuration for a system. One audit daemon runs in the global zone. Audit events in non-global zones can be located in the audit record by preselecting the zonename audit token.

When enabled, this policy maintains separate audit configuration, audit queue, and audit logs for each zone. A separate version of the audit daemon runs in each zone. This policy can be enabled in the global zone only.

The disabled option is useful when you have no special reason to maintain a separate audit log, queue, and daemon for each zone.

The enabled option is useful when you cannot monitor your system effectively by simply preselecting the zonename audit token.

public

When disabled, this policy does not add read-only events of public objects to the audit trail when the reading of files is preselected. Audit classes that contain read-only events include fr, fa, and cl.

When enabled, this policy records every read-only audit event of public objects if an appropriate audit class is preselected.

The disabled option usually satisfies requirements for site security.

The enabled option is rarely useful.

seq

When disabled, this policy does not add a sequence number to every audit record.

When enabled, this policy adds a sequence number to every audit record. The sequence token holds the sequence number.

The disabled option is sufficient when auditing is running smoothly.

The enabled option makes sense when the cnt policy is enabled. The seq policy enables you to to determine when data was discarded.

trail

When disabled, this policy does not add a trailer token to audit records.

When enabled, this policy adds a trailer token to every audit record.

The disabled option creates a smaller audit record.

The enabled option clearly marks the end of each audit record with a trailer token. The trailer token is often used in conjunction with the sequence token. The trailer token provides easier and more accurate resynchronization of audit records.

zonename

When disabled, this policy does not include a zonename token in audit records.

When enabled, this policy includes a zonename token in every audit record from a non-global zone.

The disabled option is useful when you do not need to compare audit behavior across zones.

The enabled option is useful when you want to isolate and compare audit behavior across zones.

Previous Next