Auditing in Trusted Extensions requires the same planning as in the Oracle Solaris OS. For details about planning, see Chapter 2, Planning for Auditing in Managing Auditing in Oracle Solaris 11.4.
On a system that is configured with Trusted Extensions software, auditing is configured and is administered similarly to auditing on an Oracle Solaris system with some differences.
Per-zone auditing is discouraged, because it requires a root account in a labeled zone.
Because audit configuration is performed in the global zone, user actions are audited identically in the global zone and in labeled zones.
In addition to the root role, the System Administrator and Security Administrator roles configure and administer auditing in Trusted Extensions.
The root role assigns audit flags to users and rights profiles, and edits system files, such as the audit_warn script.
The System Administrator role sets up the disks and the network of audit storage. This role creates an audit administration server and reviews audit logs.
The Security Administrator role decides what is to be audited and configures auditing. The initial setup team created this role by completing How to Create the Security Administrator Role in Trusted Extensions.
Trusted Extensions software adds audit events to the system.
The new audit events and their audit classes are listed in the /etc/security/audit_event file. The audit event numbers for Trusted Extensions are between 9000 and 10000. See also the audit_event(5) man page.