Using the Audit Service

Auditing keeps a record of how the system is being used. The audit service includes tools to assist with the analysis of the auditing data.

To satisfy your site requirements, the following audit service procedures might be useful:

Create separate roles to configure auditing, review auditing, and start and stop the audit service.

Use the Audit Configuration, Audit Review, and Audit Control rights profiles as the basis for your roles.

To create a role, see How to Create a Role in Oracle Solaris 11.1 Administration: Security Services.
Monitor text summaries of audited events in the syslog utility

Activate the audit_syslog plugin, then monitor the reported events.

See How to Configure syslog Audit Logs in Oracle Solaris 11.1 Administration: Security Services.
Limit the size of audit files.

Set the p_fsize attribute for the audit_binfile plugin to a useful size. Consider your reviewing schedule, disk space, and cron job frequency, among other factors.

For examples, see How to Assign Audit Space for the Audit Trail in Oracle Solaris 11.1 Administration: Security Services.
Schedule the secure transfer of complete audit files to an audit review file system on a separate ZFS pool.
Review complete audit files on the audit review file system.

The audit_syslog plugin enables you to record summaries of preselected audit events.

You can display the audit summaries in a terminal window as they are generated by running a command similar to the following:

# tail -0f /var/adm/auditlog

Audit records can be viewed in text format or in a browser in XML format.

For information and procedures see the following:

Skip Navigation Links
Exit Print View
	Oracle Solaris 11 Security Guidelines Oracle Solaris 11.1 Information Library