Solaris Auditing Enhancements in the Solaris 10 Release

Since the Solaris 9 release, the following features have been introduced to Solaris auditing:

• Solaris auditing can use the syslog utility to store audit records in text format. For discussion, see Audit Logs. To set up the audit_control file to use the syslog utility, see How to Configure syslog Audit Logs.

• The praudit command has an additional output format, XML. XML is a standard, portable, processable format. The XML format enables the output to be read in a browser, and provides source for XML scripting for reports. The -x option to the praudit command is described in praudit Command.

• The default set of audit classes has been restructured. Audit metaclasses provide an umbrella for finer-grained audit classes. For a list of the default set of classes, see Definitions of Audit Classes.

• The bsmconv command no longer disables the use of the Stop-A key. The Stop-A event can be audited.

• The timestamp in audit records is reported in ISO 8601 format. For information about the standard, see http://www.iso.org.

• Three audit policy options have been added:

  • public – Public objects are no longer audited for read-only events. By not auditing public files, the audit log size is greatly reduced. Attempts to read sensitive files are therefore easier to monitor. For more on public objects, see Audit Terminology and Concepts.

  • perzone – The perzone policy has broad effects. A separate audit daemon runs in each zone. The daemon uses audit configuration files that are specific to the zone. Also, the audit queue is specific to the zone. For details, see the auditd(1M) and auditconfig(1M) man pages. For more on zones, see Auditing and Solaris Zones. For more on policy, see How to Plan Auditing in Zones.

  • zonename – The name of the Solaris zone in which an audit event occurred can be included in audit records. For more on zones, see Auditing and Solaris Zones. For a discussion of when to use the option, see Determining Audit Policy.

• Five audit tokens have been added:

  • The cmd token records the list of arguments and the list of environment variables that are associated with a command. For more information, see cmd Token.

  • The path_attr token records the sequence of attribute file objects that are below the path token object. For more information, see path_attr Token.

  • The privilege token records the use of privilege on a process. For more information, see privilege Token.

  • The uauth token records the use of authorization with a command or action. For more information, see uauth Token.

  • The zonename token records the name of the non-global zone in which an audit event occurred. The zonename audit policy option determines whether the zonename token is included in the audit record. For more information, see zonename Token.

    For overview information, see Auditing and Solaris Zones. To learn about zones, see Part II, Zones, in System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones.