|Skip Navigation Links|
|Exit Print View|
|System Administration Guide: Security Services Oracle Solaris 11 Express 11/10|
The Oracle Solaris audit service, auditd, is disabled by default. To enable, refresh, or disable the service, see audit Command.
The Oracle Solaris audit service, auditd, is enabled by default.
Without customer configuration, when you enable the service, the following defaults are in place:
All login events are audited.
Both successful and unsuccessful login attempts are audited.
All users are audited for login, logout, and role assumption events.
The audit_binfile plugin is active. The /var/audit directory stores audit records, the size of an audit file is not limited, and the queue size is 100 records.
The cnt policy is set.
When audit records fill the available disk space, the system keeps a count of the number of dropped audit records. No warning is issued.
The following audit queue controls are set:
Maximum number of records in the audit queue before generating the records locks - 100
Minimum number of records in the audit queue before blocked auditing processes unblock - 10
Buffer size for the audit queue - 8192 bytes
Interval between writing audit records to the audit trail - 20 seconds
To display the defaults, see How to Display Audit Service Defaults.
The audit service enables you to set temporary, or active values. These values can differ from configured, or property values.
Temporary settings are not restored when you refresh or restart the audit service.
Audit policy and audit queue controls accept temporary values. Audit flags do not have a temporary setting.
Configured settings are stored as property values of the service, so are restored when you refresh or restart the audit service.
Rights profiles control who can administer the audit service. For more information, see Rights Profiles for Administering Auditing.
By default, all zones are audited identically. See Auditing and Oracle Solaris Zones.