Auditing Tools

By default, auditing is enabled in the Trusted Solaris environment This section describes the main utility programs and scripts for administering auditing. See the Trusted Solaris Audit Administration guide for how to disable or re-enable auditing.

audit and auditd

The audit(1M) command is an interface to control the current audit daemon. The audit daemon, auditd(1M), controls the generation and location of audit trail files, using information from the audit_control file. The auditd command starts the audit daemon if auditing is enabled. The audit command can halt the daemon, which stops the recording but not the collection of audit records; the audit command provides other options as well for controlling the daemon.

The audit command enables you to:

• Reset the first directory in the list of audit storage directories in the audit_control file.

• Open a new audit file in the audit directory specified in the audit_control file, as last read by the audit daemon.

• Signal the audit daemon to close the audit trail and halt the recording but not the collection of audit records.

auditconfig

The auditconfig(1M) command provides a command line interface to get and set kernel audit parameters, including setting various aspects of auditing policy.

audit_startup

The audit_startup(1M) script enables you to configure auditing parameters during system startup. The script initializes the audit subsystem before the audit daemon is started. This script currently consists of a series of auditconfig commands to set the system default policy and download the initial event-to-class mapping. The security administrator can access the audit_startup script from the System_Admin folder in the Application Manager.

audit_warn

The audit_warn(1M) script enables you to specify warnings to send out and other actions to take when the audit daemon detects problems. When a problem is encountered, the audit daemon calls audit_warn with the appropriate arguments. The option argument specifies the error type. You can specify a list of mail recipients to be notified when an audit_warn situation arises by defining a mail alias called audit_warn using the Mail Lists tool in the Users tool set in the SMC.

praudit

The praudit(1M) command prints the contents of an audit trail file in readable form.

auditreduce

The auditreduce(1M) command enables you to select or merge records from audit trail files from one or more hosts. The merge function merges audit records from one or more input audit trail files into a single output file. The select function enables you to select audit records on the basis of criteria relating to the record's content. The merge and select functions can be combined in a script with the praudit command to produce customized reports for your site.

auditstat

The auditstat(1M) command displays kernel audit statistics, such as the number of audit records processed and how much memory is being used by the kernel audit module.