I was having a problem with Solaris’s Basic Security Module. I’d make changes to the audit_control and run “audit -s”, but it didn’t look like it was having an effect. Or at least it wasn’t taking effect for every process.
It turns out that each process’s audit flags are set at process create time, and that each process it forks off inherit the parent’s audit id.
You can see the audit details of a process by using auditconfig:
- auditconfig -getpinfo 23161
audit id = rold(25038)
process preselection mask = lo(0×1000,0×1000)
terminal id (maj,min,host) = 0,41352,gto(192.168.1.98)
audit session id = 23161
..And you can change the mask using auditconfig:
$ auditconfig -setumask 25038 ex,lo,fw,fc,fd
Which enables auditing of execs, login/logouts,file writes, file creates, and file deletes.