Auditing Enhancements

This feature is new in the Software Express pilot program and in the Solaris 9 8/03 release. This feature is included in the Solaris 10 3/05 release.

Enhancements to the audit features in the Solaris software reduce noise in the trail, and enable administrators to use XML scripting to parse the trail. These enhancements include the following:

• Public files are no longer audited for read-only events. The public policy flag for the auditconfig command controls whether public files are audited. By not auditing public objects, the audit trail is greatly reduced. Attempts to read sensitive files are therefore easier to monitor.

• The praudit command has an additional output format, XML. The XML format enables the output to be read in a browser, and provides source for XML scripting for reports. See the praudit(1M) man page.

• The default set of audit classes has been restructured. Audit metaclasses provide support for more specific audit classes. See the audit_class(4) man page.

• The bsmconv command no longer disables the use of the Stop-A key combination. The Stop-A event is now audited to maintain security.

For further information, see the following sections in the System Administration Guide: Security Services:

• “Solaris Auditing (Reference)”

• “Definitions of Audit Classes”

• “praudit Command”

• “Solaris Auditing (Overview)”

• “Audit Terminology and Concepts”

• “Changes to Solaris Auditing for the Solaris 10 Release”