Auditing is the collecting of data about the use of system resources. The audit data provides a record of security-related system events. This data can then be used to assign responsibility for actions that take place on a system.
Successful auditing starts with identification and authentication. At each login, after a user supplies a user name and PAM (pluggable authentication module) authentication succeeds, a unique and immutable audit user ID is generated and associated with the user, and a unique audit session ID is generated and associated with the user's process. The audit session ID is inherited by every process that is started during that login session. When a user switches to another user, all user actions are tracked with the same audit user ID. For more details about switching identity, see the su(1M) man page. Note that by default, certain actions such as booting and shutting down the system are always audited.
The audit service enables the following operations:
Monitoring security-relevant events that take place on the system
Recording the events in a network-wide audit trail
Detecting misuse or unauthorized activity
Reviewing patterns of access and the access histories of individuals and objects
Discovering attempts to bypass the protection mechanisms
Discovering extended use of privilege that occurs when a user changes identity