What Is Auditing?

Auditing is the collection of data about the use of machine resources. The audit data provides a record of security-related system events. This data can then be used to assign responsibility to actions that take place on a host. Successful auditing starts with two security features: identification and authentication. At login, after a user supplies a user name and password, a unique audit ID is associated with the user's process. The audit ID is inherited by every process that is started during the login session. Even if a user changes identity, all user actions are tracked with the same audit ID. See the su(1M) man page.

The auditing subsystem makes the following possible:

• Monitor security-relevant events that take place on the host

• Record the events in a network-wide audit trail

• Detect misuse or unauthorized activity

• Review patterns of access, and see the access histories of individuals and objects

• Discover attempts to bypass the protection mechanisms

• Discover which users are using root capabilities

During system configuration, you select which activities to monitor. You can also fine-tune the degree of auditing that is done for individual users.

After audit data is collected, audit-reduction and interpretation tools allow you to examine interesting parts of the audit trail. For example, you can choose to review audit records for individual users or specific groups. You can examine all records for a certain type of event on a specific day. Or you can select records that were generated at a certain time of day.