svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
auditconfig(8)
System Administration Commands auditconfig(8)
NAME
auditconfig - configure auditing
SYNOPSIS
auditconfig subcommand...
DESCRIPTION
auditconfig provides a command line interface to get and set kernel
audit parameters.
Except for getting or setting the persistent audit service values, this
functionality is available only if the Oracle Solaris Auditing feature
has been enabled.
A zero (0) queue value indicates that the system default is in effect.
The setting of the perzone policy determines the scope of the audit
setting controlled by auditconfig. If perzone is set, then the values
reflect the local zone except as noted. Otherwise, the settings are for
the entire system. Any restriction based on the perzone setting is
noted for each option to which it applies.
A non-global zone administrator can set all audit policy options except
perzone and ahlt. perzone and ahlt apply only to the global zone; set‐
ting these policies requires the privileges of a global zone adminis‐
trator. perzone and ahlt are described under the -setpolicy option,
below.
This command is available to administrators who have been granted the
Audit Configuration Rights Profile.
OPTIONS
The following option is supported:
-t
Display or set only the active values of the running system, with‐
out displaying or setting the persistent values of the audit ser‐
vice.
This option is available only for the following subcommands.
SUB-COMMANDS
-aconf
Set the configured non-attributable audit mask, kmask, to the con‐
figured non-attributable audit mask. For example:
# auditconfig -aconf
Configured non-attributable event mask.
-audit event sorf retval string
This command constructs an audit record for audit event event using
the process' audit characteristics containing a text token string.
The return token is constructed from the sorf (success/failure
flag) and the retval (return value). The event is type char*, the
sorf is 0/1 for success/failure, retval is an errno value, string
is type *char. This command is useful for constructing an audit
record with a shell script. An example of this option:
# auditconfig -audit AUE_ftpd 0 0 "test string"
#
audit record from audit trail:
header,76,2,ftp access,,Fri Dec 08 08:44:02 2000, + 669 msec
subject,abc,root,other,root,other,104449,102336,235 197121 elbow
text,test string
return,success,0
-chkaconf
Checks the configuration of the non-attributable events set in the
kernel against the entries configured in the audit service (-set‐
naflags). If the active class mask of a kernel audit event does not
match the configured class mask, a mismatch is reported.
-chkconf
Check the configuration of kernel audit event to class mappings. If
the runtime class mask of a kernel audit event does not match the
configured class mask, a mismatch is reported.
-chkmask username|auid flags
Verifies the pre selection mask of the specified username or audit
id with the flags for inclusion. The pre selection mask would be
the combination of the default system wide default flag combined
with the audit flags specified for the user. An error is reported
if the flag is not included.
-chktags [filename]
Check the audit tags definitions. A definition file to check can
optionally be specified. If no file is specified then the system
tags definitions are used. If errors are found they are reported.
For more information, see the audit_tags(5) manual page.
-chkuflags username|auid flags
Verifies the pre selection audit flag of the specified username or
audit ID, with the specified audit flags for inclusion. An error is
reported if the flag is not included.
-conf
Configure kernel audit event to class mappings. Runtime class map‐
pings are changed to match those in the audit event to class data‐
base file.
-getasid
Prints the audit session ID of the current process. For example:
# auditconfig -getasid
audit session id = 102336
-getaudit
Returns the audit characteristics of the current process.
# auditconfig -getaudit
audit id = abc(666)
process preselection mask = lo(0x1000,0x1000)
terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
audit session id = 102336
annotation = trouble ticket 123456
If there is no audit record annotation, the annotation line is not
displayed.
-getauid
Prints the audit ID of the current process. For example:
# auditconfig -getauid
audit id = abc(666)
-getcar
Prints current active root location (anchored from root [or local
zone root] at system boot). For example:
# auditconfig -getcar
current active root = /
-getclass event
Display the preselection mask associated with the specified kernel
audit event. event is the kernel event number or event name.
-getcond
Display the kernel audit condition. The condition displayed is the
literal string auditing meaning auditing is enabled and turned on
(the kernel audit module is constructing and queuing audit records,
audit daemon is running); noaudit, meaning auditing is enabled but
turned off (the kernel audit module is not constructing and queuing
audit records, audit daemon is not running); disabled, meaning that
the audit module has not been enabled (the module has been excluded
in system(5)). For more information, see the auditd(8) man page.
-getestate event
For the specified event (string or event number), print out classes
event has been assigned. For example:
# auditconfig -getestate 20
audit class mask for event AUE_REBOOT(20) = 0x800
# auditconfig -getestate AUE_RENAME
audit class mask for event AUE_RENAME(42) = 0x30
[-t] -getflags
Display the user default audit preselection flags.
[-t] -getfprivs
The AUE_CMD_PRIVS event can record the privileges that were missing
during the execution of each program. This option displays the set
of privileges to monitor for such failures. It defaults to none.
For example:
# auditconfig -getfprivs
configured failed privileges = none
active failed privileges = none
-getkaudit
Get audit characteristics of the current zone. For example:
# auditconfig -getkaudit
audit id = unknown(-2)
process preselection mask = lo,na(0x1400,0x1400)
terminal id (maj,min,host) = 0,0,(0.0.0.0)
audit session id = 0
If the audit policy perzone is not set, the terminal id is that of
the global zone. Otherwise, it is the terminal id of the local
zone.
-getkmask
Get non-attributable pre-selection mask for the current zone. For
example:
# auditconfig -getkmask
audit flags for non-attributable events = lo,na(0x1400,0x1400)
If the audit policy perzone is not set, the kernel mask is that of
the global zone. Otherwise, it is that of the local zone.
[-t] -getnaflags
Display the non-attributable audit flags.
-getpinfo pid
Display the audit ID, preselection mask, terminal ID, audit session
ID, and optional audit record annotation for the specified process.
-getplugin [name]
Display information about the plugin name. If name is not speci‐
fied, display all plugins.
[-t] -getpolicy
Display the kernel audit policy. The ahlt and perzone policies
reflect the settings from the global zone. If perzone is set, all
other policies reflect the local zone's settings. If perzone is not
set, the policies are machine-wide.
-getremote [server|[group [connection_group]]]
Display the audit remote server-related information. If server
option argument is used, only the common audit remote server con‐
figuration is displayed. If the option argument group is used,
information about all configured connection groups is displayed.
If, in addition to the group argument, the connection_group name is
specified, information about only the respective connection group
is displayed.
If no option arguments are used, information about common audit
remote server configuration details and all connection groups are
displayed.
-getcwd
Prints current working directory (anchored from zone root at system
boot). For example:
# cd /usr/tmp
# auditconfig -getcwd
current working directory = /var/tmp
[-t] -getqbufsz
Get audit queue write buffer size. For example:
# auditconfig -getqbufsz
no configured audit queue size
audit queue buffer size (bytes) = 1024
[-t] -getqctrl
Get audit queue write buffer size, audit queue hiwater mark, audit
queue lowater mark, audit queue prod interval (ticks).
# auditconfig -getqctrl
no configured audit queue lowater mark
no configured audit queue hiwater mark
no configured audit queue size
no configured audit queue delay
audit queue hiwater mark (records) = 100
audit queue lowater mark (records) = 10
audit queue buffer size (bytes) = 1024
audit queue delay (ticks) = 20
# auditconfig -setqbufsz 8192
# auditconfig -t -setqbufsz 12288
# auditconfig -setqdelay 20
# auditconfig -t -setqdelay 25
# auditconfig -getqctrl
no configured audit queue lowater mark
no configured audit queue hiwater mark
configured audit queue buffer size (bytes) = 8192
configured audit queue delay (ticks) = 20
active audit queue hiwater mark (records) = 100
active audit queue lowater mark (records) = 10
active audit queue buffer size (bytes) = 12288
active audit queue delay (ticks) = 25
[-t] -getqdelay
Get interval at which audit queue is prodded to start output. For
example:
# auditconfig -getqdelay
no configured audit queue delay
audit queue delay (ticks) = 20
[-t] -getqhiwater
Get high water point in undelivered audit records when audit gener‐
ation will block. For example:
# ./auditconfig -getqhiwater
no configured audit queue hiwater mark
audit queue hiwater mark (records) = 100
[-t] -getqlowater
Get low water point in undelivered audit records where blocked pro‐
cesses will resume. For example:
# auditconfig -getqlowater
no configured audit queue lowater mark
audit queue lowater mark (records) = 10
[-t] -getsprivs
The AUE_CMD_PRIVS event can record the privileges that were used
during the execution of each program. This option displays the set
of privileges to monitor for successful usage. For example:
# auditconfig -t -getsprivs
active successful privileges = file_dac_write,sys_acct,\
sys_admin,sys_config,sys_devices,sys_dl_config,sys_flow_config,\
sys_ib_config,sys_ip_config,sys_iptun_config,sys_mount,\
sys_net_config,sys_res_bind,sys_res_config,sys_time
-gettid
Print audit terminal ID for current process. For example:
# auditconfig -gettid
terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
-lsclass
Display the currently configured (runtime) audit class information.
-lsevent
Display the currently configured (runtime) kernel and user level
audit event information that are selected by audit_flags. If
audit_flags is not present, then display all configured audit
events. For more information, see the audit_event(5) and
audit_flags(7) man pages.
-lstags [filename]
Display the names of audit tags. A tags definition file to use can
optionally be specified. If no file is specified then the system
tags definitions are used. For more information, see the
audit_tags(5) manual page.
-lspolicy
Display the kernel audit policies with a description of each pol‐
icy.
-setasid session-ID [cmd]
Execute shell or cmd with specified session-ID. For example:
# ./auditconfig -setasid 2000 /bin/ksh
#
# ./auditconfig -getpinfo 104485
audit id = abc(666)
process preselection mask = lo(0x1000,0x1000)
terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
audit session id = 2000
-setaudit audit-ID preselect_flags term-ID session-ID [cmd]
Execute shell or cmd with the specified audit characteristics.
-setauid audit-ID [cmd]
Execute shell or cmd with the specified audit-ID.
-setclass event audit_flag[,audit_flag ...]
Map the kernel event event to the classes specified by audit_flag
list. event is an event number or name. An audit_flag is a charac‐
ter string representing an audit class. See audit_flags(7) for fur‐
ther information. If perzone is not set, this option is valid only
in the global zone.
[-t] -setflags audit_flags
Set the default user audit preselection flags; see audit_flags(7).
The default preselection flags are combined with the user's spe‐
cific audit flags to form the user's audit preselection mask.
[-t] -setfprivs [+|-]privilege[,privilege ...]
The AUE_CMD_PRIVS event can record the privileges that were missing
during the execution of each program. This option sets the privi‐
leges to monitor for such failures. Privileges that are in the
basic set should not be specified.
-setkaudit IP-address_type IP_address
Set IP address of machine to specified values. IP-address_type is
ipv6 or ipv4.
If perzone is not set, this option is valid only in the global
zone.
-setkmask audit_flags
Set non-attributable preselection flags of machine.
If perzone is not set, this option is valid only in the global
zone.
[-t] -setnaflags audit_flags
Set the non-attributable audit flags; see audit_flags(7). Non-at‐
tributable audit flags define which classes of events are to be
audited when the action cannot be attributed to an authenticated
user. Failed login is an example of an event that is non-attribut‐
able.
-setpmask pid flags
Set the preselection mask of the specified process. flags is the
ASCII representation of the flags similar to that in
audit_flags(7).
If perzone is not set, this option is valid only in the global
zone.
-setplugin plugin_name active|inactive [ attributes [qsize]]
-setplugin plugin_name [active|inactive] attributes [qsize]
Configure the plugin plugin_name to be active or inactive. Option‐
ally configure the attributes and number of unprocessed audit
records to queue for the plugin. See the relevant audit plugin man
pages and auditd(8).
[-t] -setpolicy [+|-]policy_flag[,policy_flag ...]
Set the kernel audit policy. A policy policy_flag is literal
strings that denotes an audit policy. A prefix of + adds the poli‐
cies specified to the current audit policies. A prefix of - removes
the policies specified from the current audit policies. No policies
can be set from a local zone unless the perzone policy is first set
from the global zone. The following are the valid policy flag
strings (auditconfig -lspolicy also lists the current valid audit
policy flag strings):
all Include all policies that apply to the current
zone.
ahlt Panic is called and the system dumps core if an
asynchronous audit event occurs that cannot be
delivered because the audit queue has reached the
high-water mark or because there are insufficient
resources to construct an audit record. By default,
records are dropped and a count is kept of the num‐
ber of dropped records.
arge Include the execv(2) system call environment argu‐
ments to the audit record. This information is not
included by default.
argv Include the execv(2) system call parameter argu‐
ments to the audit record. This information is not
included by default.
cnt Do not suspend processes when audit resources are
exhausted. Instead, drop audit records and keep a
count of the number of records dropped. By default,
process are suspended until audit resources become
available.
group Include the supplementary group token in audit
records. By default, the group token is not
included.
none Include no policies. If used in other than the
global zone, the ahlt and perzone policies are not
changed.
path Add secondary path tokens to audit record. These
are typically the pathnames of dynamically linked
shared libraries or command interpreters for shell
scripts. By default, they are not included.
perzone Maintain separate configuration, queues, and logs
for each zone and execute a separate version of
auditd(8) for each zone.
public Audit public files. By default, read-type opera‐
tions are not audited for certain files which meet
public characteristics: owned by root, readable by
all, and not writable by all.
trail Include the trailer token in every audit record. By
default, the trailer token is not included.
seq Include the sequence token as part of every audit
record. By default, the sequence token is not
included. The sequence token attaches a sequence
number to every audit record.
labeled_only Only audit labeled files for read-type operations.
By default both labeled and unlabeled files are
audited, but if the labeled_only policy is speci‐
fied, then read-type operations are not audited for
files that are either unlabeled or ADMIN_LOW. The
policy does not apply to write-type operations.
zonename Include the zonename token as part of every audit
record. By default, the zonename token is not
included. The zonename token gives the name of the
zone from which the audit record was generated.
-setremote server active|inactive [attributes]
-setremote server [active|inactive] attributes
Configure the main audit remote server switch to be active or inac‐
tive. If it is set to inactive, all configured connection groups
are deemed inactive. Optionally configure the common audit remote
server attributes. For more information, see ars(7).
-setremote group active|inactive group_name [attributes]
-setremote group [active|inactive] group_name attributes
Configure the audit remote server connection group group_name to be
active or inactive. Optionally configure the respective connection
group attributes. For more information, see ars(7).
-setremote group create|destroy group_name
Create or destroy the audit remote server connection group
group_name. For more information, see ars(7).
[-t] -setqbufsz buffer_size
Set the audit queue write buffer size (bytes). Zero (0), indicates
reset to no configured value, and resets the active value to the
default setting.
[-t] -setqctrl hiwater lowater bufsz interval
Set the audit queue write buffer size (bytes), hiwater audit record
count, lowater audit record count, and wakeup interval (ticks).
Valid within a local zone only if perzone is set. Zero (0), indi‐
cates reset to no configured value, and resets the active value to
the default setting.
[-t] -setqdelay interval
Set the audit queue wakeup interval (ticks). This determines the
interval at which the kernel pokes the audit queue, to write audit
records to the audit trail. Valid within a local zone only if per‐
zone is set. Zero (0), indicates reset to no configured value, and
resets the active value to the default setting.
[-t] -setqhiwater hiwater
Set the number of undelivered audit records in the audit queue at
which audit record generation blocks. Valid within a local zone
only if perzone is set. Zero (0), indicates reset to no configured
value, and resets the active value to the default setting.
[-t] -setqlowater lowater
Set the number of undelivered audit records in the audit queue at
which blocked auditing processes unblock. Valid within a local zone
only if perzone is set. Zero (0), indicates reset to no configured
value, and resets the active value to the default setting.
-setsmask asid flags
Set the pre-selection mask of all processes with the specified
audit session ID. Valid within a local zone only if perzone is set.
[-t] -setsprivs [+|-]privilege[,privilege ...]
The AUE_CMD_PRIVS event can record the privileges that were used
during the execution of each program. This option sets the privi‐
leges to monitor for such usage. Privileges that are in the basic
set should not be specified.
-setumask username|auid flags
Set the pre-selection mask of all processes with the specified
username or audit ID. Valid within a local zone only if perzone is
set.
EXAMPLES
Example 1 Using auditconfig
The following are examples of auditconfig commands.
#
# Map kernel audit event number 10 to the "fr" audit class.
auditconfig -setclass 10 fr
#
# Turn on inclusion of exec arguments in exec audit records.
auditconfig -setpolicy +argv
Example 2 Setting Only the Number of Unprocessed Audit Records
The following sequence of commands sets only the number of unprocessed
audit records to queue for the audit_binfile plugin.
# See if audit_binfile is active.
auditconfig -getplugin audit_binfile
# Set to queue 20 unprocessed audit records.
#
auditconfig -setplugin audit_binfile "" 20
Example 3 Resetting Queue Control Parameters
The following commands reset active and configured queue control param‐
eters.
# Get the audit remote server configuration
auditconfig -getremote
# Change an audit remote server attribute
auditconfig -setremote server \
"listen_address=10.0.0.1,max_startups=10:30:60"
# Create an audit remote server (wild card) connection group
auditconfig -setremote group create egg_farm
# Get a specific audit remote server connection group information
auditconfig -getremote group egg_farm
# Set a connection group attribute, activate the connection group
auditconfig -setremote group active egg_farm \
"hosts=www.example.com,binfile_dir=/var/audit/ARS"
Example 4 Configuring an Audit Remote Server
The following command configure an audit remote server.
# Get the audit remote server configuration
auditconfig -getremote
# Change an audit remote server attribute
auditconfig -setremote server \
"listen_address=10.0.0.1,max_startups=10:30:60"
# Create an audit remote server (wild card) connection group
auditconfig -setremote group create egg_farm
# Get a specific audit remote server connection group information
auditconfig -getremote group egg_farm
# Set a connection group attribute, activate the connection group
auditconfig -setremote group active egg_farm \
"hosts=www.example.com,binfile_dir=/var/audit/ARS"
EXIT STATUS
0 Successful completion.
1 An error occurred.
FILES
/etc/security/audit_event Stores event definitions used in the audit
system.
/etc/security/audit_class Stores class definitions used in the audit
system.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilitysystem/core-os _ Interface StabilitySee
below
The command is Committed. The output is Not-an-Interface.
SEE ALSO
execv(2), audit_class(5), audit_event(5), audit_tags(5), system(5),
ars(7), attributes(7), audit_binfile(7), audit_flags(7),
audit_remote(7), audit_syslog(7), privileges(7), audit(8), auditd(8),
auditstat(8), praudit(8)
Managing Auditing in Oracle Solaris 11.4
NOTES
If plugin output is selected using the -setplugin option, the behavior
of the system with respect to the -setpolicy +cnt and the -setqhiwater
options is modified slightly. If -setpolicy +cnt is set, data will
continue to be sent to the selected plugin, even though output of the
audit_binary plugin is stopped, pending the freeing of disk space. If
-setpolicy -cnt is used, the blocking behavior is as described under
SUBCOMMANDS, above. The queue high water mark value is used within
auditd as the upper bound for its queue limits unless overridden by
means of the qsize attribute, as described in the explanation of the
-setplugin option, above.
The auditconfig options that modify or display process-based informa‐
tion are not affected by the perzone policy. Those that modify system
audit data such as the terminal id and audit queue parameters are valid
only in the global zone, unless the perzone policy is set. The display
of a system audit reflects the local zone if perzone is set. Otherwise,
it reflects the settings of the global zone.
The change to plugins (-setplugin) and audit remote server (-setremote)
settings do not take effect (such as becoming active or inactive, or
changing the respective attributes) until the audit service is
refreshed. Use audit(8) to refresh the audit service.
HISTORY
The auditconfig command was added in Solaris 2.3.
Oracle Solaris 11.4 21 Jun 2021 auditconfig(8)