I am new to Solaris 10 and I am seeking some assistance with the
following auditing configuration in Solaris 10.
1. I would like to know if it is possible to edit the audit classes
(lo,fm,ad, etc) on the fly via command line rather than having to edit
the the audit_control file manually. The reason for this is that I am
using RBAC and the security role has permissions to "audit review" and
"audit control" but not to edit the audit_control file or
stop/start/restart services. If there is another way around this, I am
certainly open to alternative solutions.
2. I am unable to get any changes I make to the audit classes in the
audit_control file registered into the auditing sub-system. If I edit
the audit_control file as root then issue an audit -s and do an
"auditconfig -getaudit" I do not see that the changes have taken
effect. (eg - flags:lo,ua,fm and nflags:lo,ua,fm). I have tried an
"auditconfig -conf" and "auditconfig -aconf" as well to no avail. I
have even stopped and started the audit daemon (svcadm disable/enable
system/auditd) with no luck. The only way I can get a change (addition
or removal of audit classes) to the audit_control file to take effect
is to reboot the system and this, of course is not ideal at all.
Any advice is very much appreciated.
Originally a Solaris Admin
Briefly an HP-UX admin
Glad to be back into Solaris!
||1/9/2007 1:26:30 AM