You want to be selective about what kinds of activities are audited. At the same time, you want to collect useful audit information. You also need to carefully plan who to audit and what to audit. If you are using the default audit_binfile plugin, note that audit files can quickly grow to fill the available space.
If all your systems are within a single administrative domain,you can setup an audit policy that treats all the systems as a single-system image for auditing purposes.
To create a single-system image audit trail for these systems, follow these requirements:
Use the same naming service for all systems.
For correct interpretation of the audit records, passwd, group, and hosts must be consistent.
Configure the audit service identically on all systems. For information about displaying and modifying the service settings, see the auditconfig(8) man page.
Use the same audit_warn, audit_event, and audit_class files for all systems.
Refer to How to Plan Who and What to Audit for additional considerations for enabling auditing on the systems.
If your system contains non-global zones, the zones can be audited as the global zone is audited, or the audit service for each non-global zone can be configured, enabled, and disabled separately. For example, you could audit only the non-global zones and not audit the global zone.
For a discussion of the trade-offs, see Auditing on a System With Oracle Solaris Zones.
The options described in this section are available when implementing auditing in zones.
A system that has installed non-global zones can run a single audit service in the global zones to audit all zones identically. Auditing all zones identically can create a single-image audit trail. A single-image audit trail occurs when you are using the audit_binfile or the audit_remote plugin, and all zones on a system are part of one administrative domain. The audit records can then be easily compared because the records in every zone are preselected with identical settings.
This configuration treats all zones as part of one system. The global zone runs the only audit service on a system and collects audit records for every zone. You customize the audit_class and audit_event files only in the global zone, then copy these files to every non-global zone.
Use the following guidelines when configuring a single audit service for all the zones:
Use the same naming service for every zone.
Enable the audit records to include the name of the zone.
To include the zone name as part of the audit record, set the zonename policy in the global zone. The auditreduce command can then select audit events by zone from the audit trail. For an example, see the auditreduce(8) man page.
To plan a single audit service in the global zone to audit all zones identically, refer to How to Plan Who and What to Audit. Start with the first step. The global zone administrator must also set aside storage, as described in How to Plan Disk Space for Audit Records.
Choose to configure per-zone auditing if different zones use different naming service databases, or if zone administrators want to control auditing in their zones.
When you configure per-zone auditing, you set the perzone audit policy in the global zone. If per-zone auditing is set before a non-global zone is first booted, auditing begins at the zone's first boot. To set audit policy, see How to Configure Per-Zone Auditing.
Each zone administrator configures auditing for the zone.
A non-global zone administrator can set all policy options except perzone and ahlt.
Each zone administrator can enable or disable auditing in the zone.
To generate records that can be traced to their originating zone during review, set the zonename audit policy.