|Skip Navigation Links|
|Exit Print View|
|Oracle Solaris Administration: Security Services Oracle Solaris 11 Information Library|
System startup and system shutdown
Login and logout
Process creation or process destruction, or thread creation or thread destruction
Opening, closing, creating, destroying, or renaming of objects
Use of privilege capabilities or role-based access control (RBAC)
Identification actions and authentication actions
Permission changes by a process or user
Administrative actions, such as installing a package
Audit records are generated from three sources:
By an application
As a result of an asynchronous audit event
As a result of a process system call
After the relevant event information has been captured, the information is formatted into an audit record. Contained in each audit record is information that identifies the event, what caused the event, the time of the event, and other relevant information. This record is then placed in an audit queue for the active plugins. At least one plugin must be active, although all plugins can be active.
By default, one plugin is active. This is the audit_binfile plugin, which writes the audit records to audit files. These files are stored locally in binary format. An active audit_remote plugin sends these records to a remote repository. An active audit_syslog plugin sends text summaries to the syslog utility. For an illustration, see Figure 26-1.
When stored locally, audit files can be in one or more ZFS pools. ZFS pools can make local storage easy to manage. These pools can be on different systems and on different but linked networks. The collection of audit files that are linked together is considered an audit trail.