A change in your companys security policy now requires an audit trial of all administrators
assuming the sysadm role, capturing:
Executed commands, including options
Logins and logouts
There are two command necessary to accomplish this change. One is a rolemod command. What
is the other?
A.
auditconfig set policy=argv
B.
auditconfig-setpolicy +argv
C.
auditconfig-setflags lo, ex sysadm
D.
auditconfig set flags=lo, ex sysadm
Explanation:
Audit Significant Events in Addition to Login/Logout (see step 2 below)
Use this procedure to audit administrative commands, attempts to invade the system, and other
significant events as specified by your site security policy.
For all users and roles, add the AUE_PFEXEC audit event to their preselection mask.
# usermod -K audit_flags=lo,ps:no username
# rolemod -K audit_flags=lo,ps:no rolename
# auditconfig -setpolicy +argv
3- Record the environment in which audited commands are executed.
# auditconfig -setpolicy +arge
Note: [-t] -setpolicy [+|-]policy_flag[,policy_flag …]
Set the kernel audit policy. A policy policy_flag is literal strings that denotes an audit policy. A
prefix of + adds the policies specified to the current audit policies. A prefix of – removes thepolicies specified from the current audit policies. No policies can be set from a local zone unless
the perzone policy is first set from the global zone.
Reference: Oracle Solaris 11 Security Guidelines, Audit Significant Events in Addition to
Login/Logout
B is the correct answer
auditconfig -setpolicy +argv
# auditconfig -getplicy
configured audit plicies = argv,cnt
active audit policies = argv,cnt
#
C
C makes no sense, correct answer is B as stated by Rk