System Administration Guide: Security Services

ProcedureHow to Plan Auditing in Zones

If your system has implemented zones, you have two audit configuration possibilities:

For a discussion of the trade-offs, see Auditing on a System With Zones.

  1. Choose one of the following methods.

    • OPTION 1 - Configure a single audit service for all zones.

      Auditing all zones identically can create a single-image audit trail. A single-image audit trail occurs when all zones on a system are part of one administrative domain. The audit records can then be easily compared, because the records in every zone are preselected with identical settings.

      This configuration treats all zones as part of one system. The global zone runs the only audit daemon on a system, and collects audit logs for every zone. You customize audit configuration files only in the global zone, then copy the audit configuration files to every non-global zone.

      1. Copy the audit_control file from the global zone to every non-global zone.

      2. Use the same audit_user database for every zone.

        The audit_user database might be a local file, or you might get it from a shared naming service.

      3. Enable the audit records to be selected by zone.

        To put the zone name as part of the audit record, set the zonename policy in the global zone. The auditreduce command can then select audit events by zone from the audit trail. For an example, see the auditreduce(1M) man page.

      To plan a single-image audit trail, refer to How to Plan Who and What to Audit. Start with the first step. The global zone administrator must also set aside storage, as described in How to Plan Storage for Audit Records.

    • OPTION 2 - Configure one audit service per zone.

      Choose to configure per-zone auditing if different zones have different naming service files, or if zone administrators want to control auditing in their zones.

      • When you configure per-zone auditing, you must configure the global zone for auditing. You set the perzone audit policy in the global zone. To set audit policy, see How to Configure Per-Zone Auditing.

        Note –

        If naming service files are customized in non-global zones, and perzone policy is not set, then careful use of the audit tools is required to select usable records. A user ID in one zone can refer to a different user from the same ID in a different zone.

      • To generate records that can be traced to their originating zone, set the zonename audit policy in the global zone. In the global zone, run the auditreduce command with the zonename option. Then, in the zonename zone, run the praudit command on the auditreduce output.

      • Each zone administrator configures the audit files for the zone.

        A non-global zone administrator can set all policy options except perzone and ahlt.

      • Each zone administrator can enable or disable auditing in the zone.

      If you customize audit configuration files in every zone, use How to Plan Who and What to Audit to plan for every zone. You can skip the first step. Each zone administrator must also set aside storage for every zone, as described in How to Plan Storage for Audit Records.