Successful auditing depends on two other security features: identification and authentication. At login, after a user supplies a user name and password, a unique audit ID is associated with the user's process. The audit ID is inherited by every process started during the login session. Even if a user changes identity (see the su(1M) man page), all actions performed are tracked with the same audit ID.
Auditing makes it possible to:
Monitor security-relevant events that take place on the system
Record the events in an audit trail
Detect misuse or unauthorized activity (by analyzing the audit trail)
During system configuration, the system administrator selects which activities to monitor. The administrator can also fine-tune the degree of auditing that is done for individual users.
After audit data is collected, audit-reduction and interpretation tools allow the examination of interesting parts of the audit trail. For example, you can choose to look at audit records for individual users or groups, look at all records for a certain type of event on a specific day, or select records that were generated at a certain time of day.
The rest of this chapter describes how to set up and administer auditing. Chapter 4, Device Allocation describes how to interpret the audit data.