
sun.com \| docs.sun.com	How To Buy \| My Sun \| Worldwide Sites

Previous Contents Index Next Next

How to Enable or Disable an Audit Policy

Audit policies determine the characteristics of the audit records for the local host. By default, all audit policies are disabled. You need to enable any audit policies that you want to use. For a description of each policy, see Audit Policies.

You can inspect, enable, or disable the current audit policy with the auditon() system call at the program level. Or, to do the same task, you can run the auditconfig command. You can also modify the policy options to the auditconfig command in the audit_startup script to make more permanent audit policy changes.

Become superuser or assume an equivalent role.

(Optional) Review the existing audit policies.
Ensure that you are aware of all the policies that are being used before you change any policies. The following command lists the enabled policies:
# auditconfig -lspolicy
Enable or disable the audit policy.
# auditconfig -setpolicy flagpolicyname
flag
A flag value of + enables the policy. A flag value of - disables the policy.

policyname
Selects the policy to be enabled or to be disabled.

The policy is in effect until the next boot, or until the policy is modified by the auditconfig -setpolicy command.

Example--Setting the `cnt` Policy

The cnt policy can be set so that if the audit partitions become full, then processes are not blocked. The records are discarded when the partitions are full, but the system still functions. The cnt policy keeps a count of the number of discarded audit records. The cnt policy should not be set if security is paramount, since unrecorded events can occur if the file system is full.

The following command enables the cnt policy:

# auditconfig -setpolicy +cnt

To maintain the policy across reboots, you should place the auditconfig -setpolicy +cnt command in the audit_startup file.

How to Enable Auditing

This task starts the auditing service. If the service has been configured, then rebooting the host also starts the service.

Become superuser or assume an equivalent role.
Bring the system into single-user mode.
# /etc/telinit 1
See the telinit(1M) man page for more information.
Run the script to configure the system to run auditing.
Go to the /etc/security directory, and execute the bsmconv script there. The script sets up a standard Solaris machine to run auditing after a reboot. See the bsmconv(1M) man page.
# cd /etc/security # ./bsmconv
Bring the system into multiuser mode.
# /etc/telinit 6
The startup file /etc/security/audit_startup causes the audit daemon to run automatically when the system enters multiuser mode.

How to Disable Auditing

If auditing is no longer required at some point, you can disable the auditing subsystem by running the bsmunconv command. See the bsmconv(1M) man page.

Become superuser or assume an equivalent role.
Bring the system into single-user mode.
# /etc/telinit 1
See the telinit(1M) man page for more information.
Run the script to disable auditing.
Change to the /etc/security directory, and execute the bsmunconv script there.
# cd /etc/security # ./bsmunconv
Bring the system into multiuser mode.
# /etc/telinit 6

Managing Audit Records (Task Map)

By managing the audit trail, you can monitor the actions of users on your network. Auditing can generate large amounts of data. The following tasks show you how to work with all this data.

The following task map describes the tasks in this section.

Task	Description	For Instructions
Display the formats of audit records	Displays the order of tokens for a particular audit event.	How to Display Audit Record Formats
Display audit records	Displays the audit records in readable format.	How to Display Audit Records
Merge audit records	Combines audit files from several machines into one audit trail.	How to Merge Audit Records
Prevent audit trail overflow	Prevents the audit file systems from completely filling up.	How to Prevent Audit Trail Overflow

How to Display Audit Record Formats

The bsmrecord command displays the audit id, audit class, selection mask, and record format of an audit event. The command operates on records in the audit_class and audit_event files.

The -a option in the following command lists all audit event record formats. The -h option puts the list in HTML format. The resulting file can be displayed in a browser.

Use the bsmrecord command to put the format of all audit event records in an HTML file.
% bsmrecord -a -h > audit.events.html
You can display the *html file in a browser. Use the browser's Find tool to find specific records.

See the bsmrecord(1M) man page for more information.

Example--Displaying the Audit Record Formats of a Program

In this example, the format of all audit records that are generated by the login program are displayed.

% bsmrecord -p login

terminal login
  program     /usr/sbin/login      see login(1)
  event ID    6152                 AUE_login
  class       lo                   (0x00001000)
      header
      subject
      text                         error message or "successful login"
      return

login: logout
  program     /usr/sbin/login      see login(1)
  event ID    6153                 AUE_logout
  class       lo                   (0x00001000)
      header
      subject
      text                         "logout" username
      return

rlogin
  program     /usr/sbin/login      see login(1) - rlogin
  event ID    6155                 AUE_rlogin
  class       lo                   (0x00001000)
      header
      subject
      text                         success/fail message
      return

telnet login
  program     /usr/sbin/login      see login(1) - telnet
  event ID    6154                 AUE_telnet
  class       lo                   (0x00001000)
      header
      subject
      text                         success/fail message
      return