- audit daemon
The audit daemon, auditd, controls the generation and location of audit trail files and the generation of syslog messages based on its configuration (see auditconfig(1M)). If auditing is enabled, auditd reads its configuration to do the following:
Configure audit policy.
Configure the audit queue control parameters.
Configure the event-to-class mappings.
Set the default audit masks.
Load one or more plugins.
Solaris provides three plugins. audit_binfile(5) writes binary audit data to a file. audit_remote(5) sends binary audit data to an authenticated server with privacy and integrity protection. audit_syslog(5) sends text summaries of audit records to the syslog daemon.
Read audit data from the kernel and pass that data to each of the active plugins.
Execute the audit_warn(1M) script to warn of various conditions.
audit(1M) is used to control auditd. It can cause auditd to:
Close the current audit file and open a new one.
Start and refresh the service based on the current properties.
Close the audit trail and terminate auditing.
auditconfig(1M) is used to configure auditd. It can configure the active and permanent:
audit queue control parameters
default audit masks
which plugins are to be loaded
The maximum number of records to queue for audit data sent to the plugin is specified by the qsize parameter specified for the plugin. If omitted, the current hiwater mark is used. See the -getqctrl option in auditconfig(1M). When this maximum is reached, auditd will either block processes or discard data, depending on the cnt audit policy as described in auditconfig(1M).
See attributes(5) for descriptions of the following attributes:
See the section on Solaris Auditing in 《Oracle Solaris 管理：安全服务》.
auditd is loaded in the global zone at boot time if auditing is enabled.
If the audit policy perzone is set, auditd runs in each zone, starting automatically when the local zone boots. If a zone is running when the perzone policy is set, auditing must be started manually in local zones. It is not necessary to reboot the system or the local zone to start auditing in a local zone. auditd can be started with audit -s and will start automatically with future boots of the zone.
When auditd runs in a local zone, the configuration is taken from the local zone's smf(5) repository and the /etc/security directory's files: audit_class, user_attr, and audit_event.
Configuration changes do not affect audit sessions that are currently running, as the changes do not modify a process's preselection mask. To change the preselection mask on a running process, use the –setpmask option of the auditconfig command (see auditconfig(1M)). If the user logs out and logs back in, the new configuration changes will be reflected in the next audit session.
The audit service FMRI is svc:/system/auditd:default.