Audit Startup
Auditing is enabled when the audit daemon starts, usually when the workstation is booted (see the auditd(1M) man page). When troubleshooting,
the daemon can be started manually by executing /usr/sbin/auditd in an admin_high shell in the secadmin role.
The existence of a file with the path name /etc/security/audit_startup causes the audit daemon to be run automatically when the system enters multiuser mode. The file is actually an executable script that is invoked as part of the startup sequence just prior to the execution of the audit daemon (see the audit_startup(1M) man page). A default audit_startup script that automatically configures the event-to-class mappings and sets the audit policies is created during audit package installation.
The security administrator can edit the audit_startup script to alter the default audit policy. See "Setting Audit Policies" for more information on audit policy.
- © 2010, Oracle Corporation and/or its affiliates