'\" te
.\" Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.
.TH auditconfig 1M "3 May 2012" "SunOS 5.11" "System Administration Commands"
.SH NAME
auditconfig \- configure auditing
.SH SYNOPSIS
.LP
.nf
\fBauditconfig\fR \fIsubcommand\fR...
.fi

.SH DESCRIPTION
.sp
.LP
\fBauditconfig\fR provides a command line interface to get and set kernel audit parameters.
.sp
.LP
Except for getting or setting the persistent audit service values, this functionality is available only if the Solaris Auditing feature has been enabled.
.sp
.LP
A zero (\fB0\fR) queue value indicates that the system default is in effect.
.sp
.LP
The setting of the \fBperzone\fR policy determines the scope of the audit setting controlled by \fBauditconfig\fR. If \fBperzone\fR is set, then the values reflect the local zone except as noted. Otherwise, the settings are for the entire system. Any restriction based on the \fBperzone\fR setting is noted for each option to which it applies.
.sp
.LP
A non-global zone administrator can set all audit policy options except \fBperzone\fR and \fBahlt\fR. \fBperzone\fR and \fBahlt\fR apply only to the global zone; setting these policies requires the privileges of a global zone administrator. \fBperzone\fR and \fBahlt\fR are described under the \fB-setpolicy\fR option, below.
.sp
.LP
This command is available to administrators who have been granted the Audit Control Rights Profile.
.SH OPTIONS
.sp
.LP
The following option is supported:
.sp
.ne 2
.mk
.na
\fB\fB-t\fR\fR
.ad
.sp .6
.RS 4n
Display or set the values on the running system in addition to the persistent values of the audit service.
.sp
This option is available only for the subcommands that list it below.
.RE

.SH SUB-COMMANDS
.sp
.ne 2
.mk
.na
\fB\fB-aconf\fR\fR
.ad
.sp .6
.RS 4n
Set the configured non-attributable audit mask, \fBkmask\fR, to the configured non-attributable audit mask. For example:
.sp
.in +2
.nf
# \fBauditconfig -aconf\fR
Configured non-attributable event mask.
.fi
.in -2
.sp

.RE

.sp
.ne 2
.mk
.na
\fB\fB-audit\fR \fIevent\fR \fIsorf\fR \fIretval\fR \fIstring\fR\fR
.ad
.sp .6
.RS 4n
This command constructs an audit record for audit event \fIevent\fR using the process's audit characteristics containing a text token \fIstring\fR. The return token is constructed from the \fIsorf\fR (success/failure flag) and the \fIretval\fR (return value). The event is type \fBchar*\fR, the \fIsorf\fR is 0/1 for success/failure, \fIretval\fR is an errno value, \fIstring\fR is type \fB*char\fR. This command is useful for constructing an audit record with a shell script. An example of this option:
.sp
.in +2
.nf
# \fBauditconfig -audit AUE_ftpd 0 0 "test string"\fR
#

audit record from audit trail:
    header,76,2,ftp access,,Fri Dec 08 08:44:02 2000, + 669 msec
    subject,abc,root,other,root,other,104449,102336,235 197121 elbow
    text,test string
    return,success,0
.fi
.in -2
.sp

.RE

.sp
.ne 2
.mk
.na
\fB\fB-chkaconf\fR\fR
.ad
.sp .6
.RS 4n
Checks the configuration of the non-attributable events set in the kernel against the entries configured in the audit service (\fB-setnaflags\fR). If the active class mask of a kernel audit event does not match the configured class mask, a mismatch is reported.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-chkconf\fR\fR
.ad
.sp .6
.RS 4n
Check the configuration of kernel audit event to class mappings. If the runtime class mask of a kernel audit event does not match the configured class mask, a mismatch is reported.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-conf\fR\fR
.ad
.sp .6
.RS 4n
Configure kernel audit event to class mappings. Runtime class mappings are changed to match those in the audit event to class database file.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-getasid\fR\fR
.ad
.sp .6
.RS 4n
Prints the audit session ID of the current process. For example:
.sp
.in +2
.nf
# \fBauditconfig -getasid\fR
audit session id = 102336
.fi
.in -2
.sp

.RE

.sp
.ne 2
.mk
.na
\fB\fB-getaudit\fR\fR
.ad
.sp .6
.RS 4n
Returns the audit characteristics of the current process.
.sp
.in +2
.nf
# \fBauditconfig -getaudit\fR
audit id = abc(666)
process preselection mask = lo(0x1000,0x1000)
terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
audit session id = 102336
.fi
.in -2
.sp

.RE

.sp
.ne 2
.mk
.na
\fB\fB-getauid\fR\fR
.ad
.sp .6
.RS 4n
Prints the audit ID of the current process. For example:
.sp
.in +2
.nf
# \fBauditconfig -getauid\fR
audit id = abc(666)
.fi
.in -2
.sp

.RE

.sp
.ne 2
.mk
.na
\fB\fB-getcar\fR\fR
.ad
.sp .6
.RS 4n
Prints current active root location (anchored from root [or local zone root] at system boot). For example:
.sp
.in +2
.nf
# \fBauditconfig -getcar\fR
current active root = /
.fi
.in -2
.sp

.RE

.sp
.ne 2
.mk
.na
\fB\fB-getclass\fR \fIevent\fR\fR
.ad
.sp .6
.RS 4n
Display the preselection mask associated with the specified kernel audit event. \fIevent\fR is the kernel event number or event name.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-getcond\fR\fR
.ad
.sp .6
.RS 4n
Display the kernel audit condition. The condition displayed is the literal string \fBauditing\fR meaning auditing is enabled and turned on (the kernel audit module is constructing and queuing audit records, audit daemon is running); \fBnoaudit\fR, meaning auditing is enabled but turned off (the kernel audit module is not constructing and queuing audit records, audit daemon is not running); \fBdisabled\fR, meaning that the audit module has not been enabled (the module has been excluded in \fBsystem\fR(4)). See \fBauditd\fR(1M) for further information.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-getestate\fR \fIevent\fR\fR
.ad
.sp .6
.RS 4n
For the specified event (string or event number), print out classes \fIevent\fR has been assigned. For example:
.sp
.in +2
.nf
# \fBauditconfig -getestate 20\fR
audit class mask for event AUE_REBOOT(20) = 0x800
# auditconfig -getestate AUE_RENAME
audit class mask for event AUE_RENAME(42) = 0x30
.fi
.in -2
.sp

.RE

.sp
.ne 2
.mk
.na
\fB\fB-getflags\fR\fR
.ad
.sp .6
.RS 4n
Display the user default audit preselection flags.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-getkaudit\fR\fR
.ad
.sp .6
.RS 4n
Get audit characteristics of the current zone. For example:
.sp
.in +2
.nf
# \fBauditconfig -getkaudit\fR
audit id = unknown(-2)
process preselection mask = lo,na(0x1400,0x1400)
terminal id (maj,min,host) = 0,0,(0.0.0.0)
audit session id = 0
.fi
.in -2
.sp

If the audit policy \fBperzone\fR is not set, the terminal id is that of the global zone. Otherwise, it is the terminal id of the local zone.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-getkmask\fR\fR
.ad
.sp .6
.RS 4n
Get non-attributable pre-selection mask for the current zone. For example:
.sp
.in +2
.nf
# \fBauditconfig -getkmask\fR
audit flags for non-attributable events = lo,na(0x1400,0x1400)
.fi
.in -2
.sp

If the audit policy \fBperzone\fR is not set, the kernel mask is that of the global zone. Otherwise, it is that of the local zone.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-getnaflags\fR\fR
.ad
.sp .6
.RS 4n
Display the non-attributable audit flags.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-getpinfo\fR \fIpid\fR\fR
.ad
.sp .6
.RS 4n
Display the audit ID, preselection mask, terminal ID, and audit session ID for the specified process.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-getplugin\fR [\fIname\fR]\fR
.ad
.sp .6
.RS 4n
Display information about the plugin name. If \fIname\fR is not specified, display all plugins.
.RE

.sp
.ne 2
.mk
.na
\fB[\fB-t\fR] \fB-getpolicy\fR\fR
.ad
.sp .6
.RS 4n
Display the kernel audit policy. The \fBahlt\fR and \fBperzone\fR policies reflect the settings from the global zone. If \fBperzone\fR is set, all other policies reflect the local zone's settings. If \fBperzone\fR is not set, the policies are machine-wide.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-getremote\fR [\fIserver\fR|[\fIgroup\fR [\fIconnection_group\fR]]]\fR
.ad
.sp .6
.RS 4n
Display the audit remote server-related information. If \fIserver\fR option argument is used, only the common audit remote server configuration is displayed. If the option argument \fIgroup\fR is used, information about all configured connection groups is displayed. If, in addition to the group argument, the \fIconnection_group\fR name is specified, information about only the respective connection group is displayed.
.sp
If no option arguments are used, information about common audit remote server configuration details and all connection groups are displayed.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-getcwd\fR\fR
.ad
.sp .6
.RS 4n
Prints current working directory (anchored from zone root at system boot). For example:
.sp
.in +2
.nf
# \fBcd /usr/tmp\fR
# \fBauditconfig -getcwd\fR
current working directory = /var/tmp
.fi
.in -2
.sp

.RE

.sp
.ne 2
.mk
.na
\fB[\fB-t\fR] \fB-getqbufsz\fR\fR
.ad
.sp .6
.RS 4n
Get audit queue write buffer size. For example:
.sp
.in +2
.nf
# \fBauditconfig -getqbufsz\fR
no configured audit queue size
audit queue buffer size (bytes) = 1024
.fi
.in -2
.sp

.RE

.sp
.ne 2
.mk
.na
\fB[\fB-t\fR] \fB-getqctrl\fR\fR
.ad
.sp .6
.RS 4n
Get audit queue write buffer size, audit queue \fBhiwater\fR mark, audit queue \fBlowater\fR mark, audit queue \fBprod\fR interval (ticks).
.sp
.in +2
.nf
# \fBauditconfig -getqctrl\fR
no configured audit queue lowater mark
no configured audit queue hiwater mark
no configured audit queue size
no configured audit queue delay
audit queue hiwater mark (records) = 100
audit queue lowater mark (records) = 10
audit queue buffer size (bytes) = 1024
audit queue delay (ticks) = 20

# auditconfig -setqbufsz 8192
# auditconfig -t -setqbufsz 12288
# auditconfig -setqdelay 20
# auditconfig -t -setqdelay 25
# auditconfig -getqctrl
no configured audit queue lowater mark
no configured audit queue hiwater mark
configured audit queue buffer size (bytes) = 8192
configured audit queue delay (ticks) = 20
active audit queue hiwater mark (records) =     100
active audit queue lowater mark (records) =     10
active audit queue buffer size (bytes) = 12288
active audit queue delay (ticks) = 25
.fi
.in -2
.sp

.RE

.sp
.ne 2
.mk
.na
\fB[\fB-t\fR] \fB-getqdelay\fR\fR
.ad
.sp .6
.RS 4n
Get interval at which audit queue is prodded to start output. For example:
.sp
.in +2
.nf
# \fBauditconfig -getqdelay\fR
no configured audit queue delay
audit queue delay (ticks) = 20
.fi
.in -2
.sp

.RE

.sp
.ne 2
.mk
.na
\fB[\fB-t\fR] \fB-getqhiwater\fR\fR
.ad
.sp .6
.RS 4n
Get high water point in undelivered audit records when audit generation will block. For example:
.sp
.in +2
.nf
# \fB\&./auditconfig -getqhiwater\fR
no configured audit queue hiwater mark
audit queue hiwater mark (records) = 100
.fi
.in -2
.sp

.RE

.sp
.ne 2
.mk
.na
\fB[\fB-t\fR] \fB-getqlowater\fR\fR
.ad
.sp .6
.RS 4n
Get low water point in undelivered audit records where blocked processes will resume. For example:
.sp
.in +2
.nf
# \fBauditconfig -getqlowater\fR
no configured audit queue lowater mark
audit queue lowater mark (records) = 10
.fi
.in -2
.sp

.RE

.sp
.ne 2
.mk
.na
\fB\fB-getstat\fR\fR
.ad
.sp .6
.RS 4n
Print current audit statistics information. For example:
.sp
.in +2
.nf
# \fBauditconfig -getstat\fR
gen nona kern  aud  ctl  enq wrtn wblk rblk drop  tot  mem
910    1  725  184    0  910  910    0  231    0   88   48
.fi
.in -2
.sp

See \fBauditstat\fR(1M) for a description of the headings in \fB-getstat\fR output.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-gettid\fR\fR
.ad
.sp .6
.RS 4n
Print audit terminal ID for current process. For example:
.sp
.in +2
.nf
# \fBauditconfig -gettid\fR
terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
.fi
.in -2
.sp

.RE

.sp
.ne 2
.mk
.na
\fB\fB-lsevent\fR\fR
.ad
.sp .6
.RS 4n
Display the currently configured (runtime) kernel and user level audit event information.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-lspolicy\fR\fR
.ad
.sp .6
.RS 4n
Display the kernel audit policies with a description of each policy.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-setasid\fR \fIsession-ID\fR [\fIcmd\fR]\fR
.ad
.sp .6
.RS 4n
Execute shell or \fIcmd\fR with specified \fIsession-ID\fR. For example:
.sp
.in +2
.nf
# \fB\&./auditconfig -setasid 2000 /bin/ksh\fR
#
# \fB\&./auditconfig -getpinfo 104485\fR
audit id = abc(666)
process preselection mask = lo(0x1000,0x1000)
terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
audit session id = 2000
.fi
.in -2
.sp

.RE

.sp
.ne 2
.mk
.na
\fB\fB-setaudit\fR \fIaudit-ID\fR \fIpreselect_flags\fR \fIterm-ID\fR \fIsession-ID\fR [\fIcmd\fR]\fR
.ad
.sp .6
.RS 4n
Execute shell or \fIcmd\fR with the specified audit characteristics.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-setauid\fR \fIaudit-ID\fR [\fIcmd\fR]\fR
.ad
.sp .6
.RS 4n
Execute shell or \fIcmd\fR with the specified \fIaudit-ID\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-setclass\fR \fIevent audit_flag\fR[\fI,audit_flag .\|.\|.\fR]\fR
.ad
.sp .6
.RS 4n
Map the kernel event \fIevent\fR to the classes specified by \fBaudit_flag\fR list. \fIevent\fR is an event number or name. An \fIaudit_flag\fR is a character string representing an audit class. See \fBaudit_flags\fR(5) for further information. If \fBperzone\fR is not set, this option is valid only in the global zone.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-setflags\fR \fIaudit_flags\fR\fR
.ad
.sp .6
.RS 4n
Set the default user audit preselection flags; see \fBaudit_flags\fR(5). The default preselection flags are combined with the user's specific audit flags to form the user's audit preselection mask.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-setkaudit\fR \fIIP-address_type\fR \fIIP_address\fR\fR
.ad
.sp .6
.RS 4n
Set IP address of machine to specified values. \fIIP-address_type\fR is \fBipv6\fR or \fBipv4\fR.
.sp
If \fBperzone\fR is not set, this option is valid only in the global zone.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-setkmask\fR \fIaudit_flags\fR\fR
.ad
.sp .6
.RS 4n
Set non-attributable preselection flags of machine.
.sp
If \fBperzone\fR is not set, this option is valid only in the global zone.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-setnaflags\fR \fIaudit_flags\fR\fR
.ad
.sp .6
.RS 4n
Set the non-attributable audit flags; see \fBaudit_flags\fR(5). Non-attributable audit flags define which classes of events are to be audited when the action cannot be attributed to an authenticated user. Failed login is an example of an event that is non-attributable.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-setpmask\fR \fIpid\fR \fIflags\fR\fR
.ad
.sp .6
.RS 4n
Set the preselection mask of the specified process. \fIflags\fR is the ASCII representation of the flags similar to that in \fBaudit_flags\fR(5).
.sp
If \fBperzone\fR is not set, this option is valid only in the global zone.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-setplugin\fR \fIplugin_name\fR \fBactive\fR|\fBinactive\fR [ \fIattributes\fR [\fIqsize\fR]]\fR
.ad
.br
.na
\fB\fB-setplugin\fR \fIplugin_name\fR [\fBactive\fR|\fBinactive\fR] \fIattributes\fR [\fIqsize\fR]\fR
.ad
.sp .6
.RS 4n
Configure the plugin \fIplugin_name\fR to be \fBactive\fR or \fBinactive\fR. Optionally configure the attributes and number of unprocessed audit records to queue for the plugin. See the relevant audit plugin man pages and \fBauditd\fR(1M).
.RE

.sp
.ne 2
.mk
.na
\fB[\fB-t\fR] \fB-setpolicy\fR [\fI+\fR|\fI-\fR]\fIpolicy_flag\fR[\fI,policy_flag ...\fR]\fR
.ad
.sp .6
.RS 4n
Set the kernel audit policy. A policy \fIpolicy_flag\fR is literal strings that denotes an audit policy. A prefix of \fB+\fR adds the policies specified to the current audit policies. A prefix of \fB-\fR removes the policies specified from the current audit policies. No policies can be set from a local zone unless the \fBperzone\fR policy is first set from the global zone. The following are the valid policy flag strings (\fBauditconfig\fR \fB-lspolicy\fR also lists the current valid audit policy flag strings):
.sp
.ne 2
.mk
.na
\fB\fBall\fR\fR
.ad
.RS 16n
.rt  
Include all policies that apply to the current zone.
.RE

.sp
.ne 2
.mk
.na
\fB\fBahlt\fR\fR
.ad
.RS 16n
.rt  
Panic is called and the system dumps core if an asynchronous audit event occurs that cannot be delivered because the audit queue has reached the high-water mark or because there are insufficient resources to construct an audit record. By default, records are dropped and a count is kept of the number of dropped records.
.RE

.sp
.ne 2
.mk
.na
\fB\fBarge\fR\fR
.ad
.RS 16n
.rt  
Include the \fBexecv\fR(2) system call environment arguments to the audit record. This information is not included by default.
.RE

.sp
.ne 2
.mk
.na
\fB\fBargv\fR\fR
.ad
.RS 16n
.rt  
Include the \fBexecv\fR(2) system call parameter arguments to the audit record. This information is not included by default.
.RE

.sp
.ne 2
.mk
.na
\fB\fBcnt\fR\fR
.ad
.RS 16n
.rt  
Do not suspend processes when audit resources are exhausted. Instead, drop audit records and keep a count of the number of records dropped. By default, process are suspended until audit resources become available.
.RE

.sp
.ne 2
.mk
.na
\fB\fBgroup\fR\fR
.ad
.RS 16n
.rt  
Include the supplementary group token in audit records. By default, the group token is not included.
.RE

.sp
.ne 2
.mk
.na
\fB\fBnone\fR\fR
.ad
.RS 16n
.rt  
Include no policies. If used in other than the global zone, the \fBahlt\fR and \fBperzone\fR policies are not changed.
.RE

.sp
.ne 2
.mk
.na
\fB\fBpath\fR\fR
.ad
.RS 16n
.rt  
Add secondary path tokens to audit record. These are typically the pathnames of dynamically linked shared libraries or command interpreters for shell scripts. By default, they are not included.
.RE

.sp
.ne 2
.mk
.na
\fB\fBperzone\fR\fR
.ad
.RS 16n
.rt  
Maintain separate configuration, queues, and logs for each zone and execute a separate version of \fBauditd\fR(1M) for each zone.
.RE

.sp
.ne 2
.mk
.na
\fB\fBpublic\fR\fR
.ad
.RS 16n
.rt  
Audit public files. By default, read-type operations are not audited for certain files which meet \fBpublic\fR characteristics: owned by root, readable by all, and not writable by all.
.RE

.sp
.ne 2
.mk
.na
\fB\fBtrail\fR\fR
.ad
.RS 16n
.rt  
Include the trailer token in every audit record. By default, the trailer token is not included.
.RE

.sp
.ne 2
.mk
.na
\fB\fBseq\fR\fR
.ad
.RS 16n
.rt  
Include the sequence token as part of every audit record. By default, the sequence token is not included. The sequence token attaches a sequence number to every audit record.
.RE

.sp
.ne 2
.mk
.na
\fB\fBwindata_down\fR\fR
.ad
.RS 16n
.rt  
Include in an audit record any downgraded data moved between windows. This policy is available only if the system is configured with Trusted Extensions. By default, this information is not included.
.RE

.sp
.ne 2
.mk
.na
\fB\fBwindata_up\fR\fR
.ad
.RS 16n
.rt  
Include in an audit record any upgraded data moved between windows. This policy is available only if the system is configured with Trusted Extensions. By default, this information is not included.
.RE

.sp
.ne 2
.mk
.na
\fB\fBzonename\fR\fR
.ad
.RS 16n
.rt  
Include the \fBzonename\fR token as part of every audit record. By default, the \fBzonename\fR token is not included. The \fBzonename\fR token gives the name of the zone from which the audit record was generated.
.RE

.RE

.sp
.ne 2
.mk
.na
\fB\fB-setremote\fR \fIserver\fR \fBactive\fR|\fBinactive\fR [\fIattributes\fR]\fR
.ad
.br
.na
\fB\fB-setremote\fR \fIserver\fR [\fBactive\fR|\fBinactive\fR] \fIattributes\fR\fR
.ad
.sp .6
.RS 4n
Configure the main audit remote server switch to be active or inactive. If it is set to inactive, all configured connection groups are deemed inactive. Optionally configure the common audit remote server attributes. For more information, see \fBars\fR(5).
.RE

.sp
.ne 2
.mk
.na
\fB\fR
.ad
.br
.na
\fB\fB-setremote\fR \fBgroup\fR \fBactive\fR|\fBinactive\fR \fIgroup_name\fR [\fIattributes\fR]\fR
.ad
.br
.na
\fB\fB-setremote\fR \fBgroup\fR [\fBactive\fR|\fBinactive\fR] \fIgroup_name\fR \fIattributes\fR\fR
.ad
.sp .6
.RS 4n
Configure the audit remote server connection group group_name to be active or inactive. Optionally configure the respective connection group attributes. For more information, see \fBars\fR(5).
.RE

.sp
.ne 2
.mk
.na
\fB\fR
.ad
.br
.na
\fB\fB-setremote\fR \fBgroup\fR \fBcreate\fR|\fBdestroy\fR \fIgroup_name\fR\fR
.ad
.sp .6
.RS 4n
Create or destroy the audit remote server connection group \fIgroup_name\fR. For more information, see \fBars\fR(5).
.RE

.sp
.ne 2
.mk
.na
\fB[\fB-t\fR] \fB-setqbufsz\fR \fIbuffer_size\fR\fR
.ad
.sp .6
.RS 4n
Set the audit queue write buffer size (bytes). Zero (\fB0\fR), indicates reset to no configured value.
.RE

.sp
.ne 2
.mk
.na
\fB[\fB-t\fR] \fB-setqctrl\fR \fIhiwater\fR \fIlowater\fR \fIbufsz\fR \fIinterval\fR\fR
.ad
.sp .6
.RS 4n
Set the audit queue write buffer size (bytes), hiwater audit record count, lowater audit record count, and wakeup interval (ticks). Valid within a local zone only if \fBperzone\fR is set. Zero (\fB0\fR), indicates reset to no configured value.
.RE

.sp
.ne 2
.mk
.na
\fB[\fB-t\fR] \fB-setqdelay\fR \fIinterval\fR\fR
.ad
.sp .6
.RS 4n
Set the audit queue wakeup interval (ticks). This determines the interval at which the kernel pokes the audit queue, to write audit records to the audit trail. Valid within a local zone only if \fBperzone\fR is set. Zero (\fB0\fR), indicates reset to no configured value.
.RE

.sp
.ne 2
.mk
.na
\fB[\fB-t\fR] \fB-setqhiwater\fR \fIhiwater\fR\fR
.ad
.sp .6
.RS 4n
Set the number of undelivered audit records in the audit queue at which audit record generation blocks. Valid within a local zone only if \fBperzone\fR is set. Zero (\fB0\fR), indicates reset to no configured value.
.RE

.sp
.ne 2
.mk
.na
\fB[\fB-t\fR] \fB-setqlowater\fR \fIlowater\fR\fR
.ad
.sp .6
.RS 4n
Set the number of undelivered audit records in the audit queue at which blocked auditing processes unblock. Valid within a local zone only if \fBperzone\fR is set. Zero (\fB0\fR), indicates reset to no configured value.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-setsmask\fR \fIasid flags\fR\fR
.ad
.sp .6
.RS 4n
Set the preselection mask of all processes with the specified audit session ID. Valid within a local zone only if \fBperzone\fR is set.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-setstat\fR\fR
.ad
.sp .6
.RS 4n
Reset audit statistics counters. Valid within a local zone only if \fBperzone\fR is set.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-setumask\fR \fIusername\fR|\fIauid flags\fR\fR
.ad
.sp .6
.RS 4n
Set the preselection mask of all processes with the specified username or audit ID. Valid within a local zone only if \fBperzone\fR is set.
.RE

.SH EXAMPLES
.LP
\fBExample 1 \fRUsing \fBauditconfig\fR
.sp
.LP
The following are examples of \fBauditconfig\fR commands.

.sp
.in +2
.nf
#
# Map kernel audit event number 10 to the "fr" audit class.

# \fBauditconfig -setclass 10 fr\fR

#
# Turn on inclusion of exec arguments in exec audit records.

# \fBauditconfig -setpolicy +argv\fR
.fi
.in -2
.sp

.LP
\fBExample 2 \fRSetting Only the Number of Unprocessed Audit Records
.sp
.LP
The following sequence of commands sets only the number of unprocessed audit records to queue for the \fBaudit_binfile\fR plugin.

.sp
.in +2
.nf
# See if audit_binfile is active.
% \fBauditconfig -getplugin audit_binfile\fR

# Set to queue 20 unprocessed audit records.
#
% \fBauditconfig -setplugin audit_binfile "" 20\fR
.fi
.in -2
.sp

.LP
\fBExample 3 \fRResetting Queue Control Parameters
.sp
.LP
The following commands reset active and configured queue control parameters.

.sp
.in +2
.nf
# Get the audit remote server configuration
\fBauditconfig -getremote\fR

# Change an audit remote server attribute
\fBauditconfig -setremote server \e
"listen_address=10.0.0.1,max_startups=10:30:60"\fR

# Create an audit remote server (wild card) connection group
\fBauditconfig -setremote group create egg_farm\fR

# Get a specific audit remote server connection group information
\fBauditconfig -getremote group egg_farm\fR

# Set a connection group attribute, activate the connection group
\fBauditconfig -setremote group active egg_farm \e
"hosts=tipo.cz.oracle.com,binfile_dir=/var/audit/ARS"\fR
.fi
.in -2
.sp

.LP
\fBExample 4 \fRConfiguring an Audit Remote Server
.sp
.LP
The following command configure an audit remote server.

.sp
.in +2
.nf
# Get the audit remote server configuration
\fBauditconfig -getremote\fR

# Change an audit remote server attribute
\fBauditconfig -setremote server \e
"listen_address=10.0.0.1,max_startups=10:30:60"\fR

# Create an audit remote server (wild card) connection group
\fBauditconfig -setremote group create egg_farm\fR

# Get a specific audit remote server connection group information
\fBauditconfig -getremote group egg_farm\fR

# Set a connection group attribute, activate the connection group
auditconfig -setremote group active egg_farm \e
"hosts=tipo.cz.oracle.com,binfile_dir=/var/audit/ARS"
.fi
.in -2
.sp

.SH EXIT STATUS
.sp
.ne 2
.mk
.na
\fB\fB0\fR\fR
.ad
.RS 5n
.rt  
Successful completion.
.RE

.sp
.ne 2
.mk
.na
\fB\fB1\fR\fR
.ad
.RS 5n
.rt  
An error occurred.
.RE

.SH FILES
.sp
.ne 2
.mk
.na
\fB\fB/etc/security/audit_event\fR\fR
.ad
.RS 29n
.rt  
Stores event definitions used in the audit system.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/etc/security/audit_class\fR\fR
.ad
.RS 29n
.rt  
Stores class definitions used in the audit system.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
tab() box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPEATTRIBUTE VALUE
_
Availabilitysystem/core-os
_
Interface StabilityCommitted
.TE

.SH SEE ALSO
.sp
.LP
\fBaudit\fR(1M), \fBauditd\fR(1M), \fBauditstat\fR(1M), \fBpraudit\fR(1M), \fBexecv\fR(2), \fBaudit_class\fR(4), \fBaudit_event\fR(4), \fBsystem\fR(4), \fBars\fR(5), \fBattributes\fR(5), \fBaudit_binfile\fR(5), \fBaudit_flags\fR(5), \fBaudit_remote\fR(5), \fBaudit_syslog\fR(5)
.sp
.LP
See the section on Auditing in \fISecuring Systems and Attached Devices in Oracle Solaris 11.3\fR.
.SH NOTES
.sp
.LP
If plugin output is selected using the \fB-setplugin\fR option, the behavior of the system with respect to the \fB-setpolicy\fR \fB+cnt\fR and the \fB-setqhiwater\fR options is modified slightly. If \fB-setpolicy\fR \fB+cnt\fR is set, data will continue to be sent to the selected plugin, even though output of the \fBaudit_binary\fR plugin is stopped, pending the freeing of disk space. If \fB-setpolicy\fR \fB-cnt\fR is used, the blocking behavior is as described under \fBSUBCOMMANDS\fR, above. The queue high water mark value is used within \fBauditd\fR as the upper bound for its queue limits unless overridden by means of the \fBqsize\fR attribute, as described in the explanation of the \fB-setplugin\fR option, above.
.sp
.LP
The \fBauditconfig\fR options that modify or display process-based information are not affected by the \fBperzone\fR policy. Those that modify system audit data such as the terminal id and audit queue parameters are valid only in the global zone, unless the \fBperzone\fR policy is set. The display of a system audit reflects the local zone if \fBperzone\fR is set. Otherwise, it reflects the settings of the global zone.
.sp
.LP
The change to plugins (\fB-setplugin\fR) and audit remote server (\fB-setremote\fR) settings do not take effect (such as becoming active or inactive, or changing the respective attributes) until the audit service is refreshed. Use \fBaudit\fR(1M) to refresh the audit service.