System Administration Guide: Security Services

ProcedureHow to Configure Per-Zone Auditing

This procedure enables separate zone administrators to control the audit service in their zone. For the complete list of policy options, see the auditconfig(1M) man page.

  1. In the global zone, configure auditing, but do not enable the audit service.

    1. Complete the tasks in Configuring Audit Files (Task Map).

    2. Complete the tasks in Configuring and Enabling the Audit Service (Task Map), with the following exceptions.

      • Add the perzone audit policy. For an example, see Example 30–18.

      • Do not enable the audit service. You enable the audit service after the non-global zones are configured for auditing.

  2. In each non-global zone, configure the audit files.

    Note –

    If you are planning to disable auditing in the non-global zone, you can skip this step. To disable auditing, see Example 30–25.

    1. Complete the tasks in Configuring Audit Files (Task Map).

    2. Follow the procedures that are described in Configuring and Enabling the Audit Service (Task Map).

    3. Do not configure system-wide audit settings.

      Specifically, do not add the perzone or ahlt policy to the non-global zone's audit_startup file. And do not run the bsmconv command from the non-global zone.

    4. Enable auditing in your zone.

      When the global zone reboots after auditing is configured, auditing is automatically enabled in your zone.

      If the global zone administrator activates the perzone audit policy after the system is booted, individual zone administrators must enable auditing. For details, see Example 30–20.

  3. In the global zone, enable the audit service.

    For the procedure, see How to Enable the Audit Service.

Example 30–25 Disabling Auditing in a Non-Global Zone

This example works if the global zone has set the perzone audit policy. The zone administrator of the noaudit zone disables auditing for that zone. Because the administrator planned to disable auditing, she did not edit the audit configuration files.

noauditzone # svcadm disable svc:/system/auditd