Let me preface with I am semi-new to Solaris. I work with it in the labs at work and that's about my extent (although I run Linux at home).
Well, a week ago security comes around with updated requirements, some of which are the need to audit all failures. For the life of me I cannot get a failure of "more" or "cd" to show up in the audits. I am running Solaris 8.
/etc/security/audit_control
dir: /var/audit
flags: lo, -fc,-fd,-fr,-fw,-fm,-ad,-pc,-ex,-fa
minfree: 20
naflags: lo, -fc,-fd,-fr,-fw,-fm,-ad,-pc,-ex
So I updated that, logged in as myself and kicked up some errors, but nothing different shows up in the audit file. I kick off an audit by:
auditreduce -c XXX | praudit | /var/report_creator_f.pl
Where XXX is the flag, I do it for every flag and write the audits to a terminal to review them.
The thing is, no errors from me trying to access root files are being kicked up. Anything I am doing wrong??
Thank you in advance.
---------- Post updated at 04:27 PM ---------- Previous update was at 03:32 PM ----------
Correction: They are showing up but they only from /var and some /etc. When I did a cd into /Mail it did not kick up an event. Where are these "security relevant" files called out? And how the heck do i change it??