Policy
Name |
Description |
Why Change the Policy Option? |
ahlt |
This policy applies to asynchronous events only. When
disabled, this policy allows the event to complete without an audit record being
generated. When enabled, this policy stops the system when the audit file systems are
full. Administrative intervention is required to clean up the audit queue, make space
available for audit records, and reboot. This policy can only be enabled in
the global zone. The policy affects all zones. |
The disabled option makes sense
when system availability is more important than security. The enabled option makes sense in
an environment where security is paramount. |
arge |
When disabled, this policy omits environment variables
of an executed program from the exec audit record. When enabled, this policy adds
the environment variables of an executed program to the exec audit record. The
resulting audit records contain much more detail than when this policy is disabled. |
The
disabled option collects much less information than the enabled option. The enabled option makes
sense when you are auditing a few users. The option is also useful
when you have suspicions about the environment variables that are being used in
exec programs. |
argv |
When disabled, this policy omits the arguments of an executed program from
the exec audit record. When enabled, this policy adds the arguments of an
executed program to the exec audit record. The resulting audit records contain much more
detail than when this policy is disabled. |
The disabled option collects much less
information than the enabled option. The enabled option makes sense when you are auditing
a few users. The option is also useful when you have reason to
believe that unusual exec programs are being run. |
cnt |
When disabled, this policy blocks a
user or application from running. The blocking happens when audit records cannot be
added to the audit trail because no disk space is available. When enabled, this
policy allows the event to complete without an audit record being generated. The
policy maintains a count of audit records that are dropped. |
The disabled option makes
sense in an environment where security is paramount. The enabled option makes sense when
system availability is more important than security. |
group |
When disabled, this policy does not add
a groups list to audit records. When enabled, this policy adds a groups list
to every audit record as a special token. |
The disabled option usually satisfies requirements
for site security. The enabled option makes sense when you need to audit
which groups are generating audit events. |
path |
When disabled, this policy records in an audit
record at most one path that is used during a system call. When enabled,
this policy records every path that is used in conjunction with an audit
event to every audit record. |
The disabled option places at most one path
in an audit record. The enabled option enters each file name or path
that is used during a system call in the audit record as a
path token. |
perzone |
When disabled, this policy maintains a single audit configuration for a system.
One audit daemon runs in the global zone. Audit events in non-global zones
can be located in the audit record by preselecting the zonename audit token. When
enabled, this policy maintains separate audit configuration, audit queue, and audit logs for
each zone. A separate version of the audit daemon runs in each zone.
This policy can be enabled in the global zone only. |
The disabled option
is useful when you have no special reason to maintain a separate audit
log, queue, and daemon for each zone. The enabled option is useful when
you cannot monitor your system effectively by simply preselecting the zonename audit token. |
public |
When
disabled, this policy does not add read-only events of public objects to the
audit trail when the reading of files is preselected. Audit classes that contain
read-only events include fr, fa, and cl. When enabled, this policy records every read-only audit
event of public objects if an appropriate audit class is preselected. |
The disabled option
usually satisfies requirements for site security. The enabled option is rarely useful. |
seq |
When disabled,
this policy does not add a sequence number to every audit record. When enabled, this
policy adds a sequence number to every audit record. The sequence token
holds the sequence number. |
The disabled option is sufficient when auditing is running
smoothly. The enabled option makes sense when the cnt policy is enabled. The seq
policy enables you to to determine when data was discarded. |
trail |
When disabled, this policy
does not add a trailer token to audit records. When enabled, this policy adds a
trailer token to every audit record. |
The disabled option creates a smaller audit record. The
enabled option clearly marks the end of each audit record with a
trailer token. The trailer token is often used in conjunction with the sequence
token. The trailer token provides easier and more accurate resynchronization of audit records. |
zonename |
When
disabled, this policy does not include a zonename token in audit records. When enabled,
this policy includes a zonename token in every audit record from a non-global
zone. |
The disabled option is useful when you do not need to compare
audit behavior across zones. The enabled option is useful when you want to isolate
and compare audit behavior across zones. |