|Skip Navigation Links|
|Exit Print View|
|Oracle Solaris 11 Security Guidelines Oracle Solaris 11 Information Library|
Auditing keeps a record of how the system is being used. The audit service includes tools to assist with the analysis of the auditing data.
The audit service is described in Part VII, Auditing in Oracle Solaris, in Oracle Solaris Administration: Security Services.
For a list of the man pages and links to them, see Audit Service Man Pages in Oracle Solaris Administration: Security Services.
To satisfy your site requirements, the following audit service procedures might be useful:
Create separate roles to configure auditing, review auditing, and start and stop the audit service.
Use the Audit Configuration, Audit Review, and Audit Control rights profiles as the basis for your roles.
To create a role, see How to Create a Role in Oracle Solaris Administration: Security Services.
Monitor text summaries of audited events in the syslog utility
Activate the audit_syslog plugin, then monitor the reported events.
Limit the size of audit files.
Set the p_fsize attribute for the audit_binfile plugin to a useful size. Consider your reviewing schedule, disk space, and cron job frequency, among other factors.
Schedule the secure transfer of complete audit files to an audit review file system on a separate ZFS pool.
Review complete audit files on the audit review file system.
The audit_syslog plugin enables you to record summaries of preselected audit events.
You can display the audit summaries in a terminal window as they are generated by running a command similar to the following:
# tail -0f /var/adm/auditlog
Audit records can be viewed in text format or in a browser in XML format.
For information and procedures see the following: