Oracle® Solaris 11 Security Guidelines

Exit Print View

Updated: August 2014

How to Audit Significant Events in Addition to Login/Logout

Use this procedure to audit administrative commands, system access, and other significant events as specified by your site security policy.

Note - The examples in this procedure might not be sufficient to satisfy your security policy.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

  1. Audit all uses of privileged commands by users who are assigned administrative rights profiles and roles.

    Add the cusa audit class to their preselection mask.

    # usermod -K audit_flags=cusa:no username
    # rolemod -K audit_flags=cusa:no rolename

    The audit classes that the cusa meta-class includes are listed in the /etc/security/audit_class file.

  2. Record the arguments to audited commands.
    # auditconfig -setpolicy +argv
  3. (Optional) Record the environment in which audited commands are executed.
    # auditconfig -setpolicy +arge

    Note -  This policy option can be useful when troubleshooting.

See also