Auditing keeps a record of how the system is being used. The audit service includes tools to assist with the analysis of the auditing data.
The audit service is described in Managing Auditing in Oracle Solaris 11.2 . For a list of the man pages and links to them, see Audit Service Man Pages in Managing Auditing in Oracle Solaris 11.2 .
The following audit service procedures are useful in many secure environments:
Create separate roles to configure auditing, review auditing, and start and stop the audit service. Assign the roles to trusted users.
Use the Audit Configuration, Audit Review, and Audit Control rights profiles as the basis for your roles.
To create roles or use the predefined ARMOR roles, see Assigning Rights to Users in Securing Users and Processes in Oracle Solaris 11.2 .
Audit all administrators with the cusa audit class.
Events in the cusa audit class cover administrative actions that affect the system's security posture. For a description, see the /etc/security/audit_class file. For the procedure, see How to Audit Significant Events in Addition to Login/Logout.
Send audit records to a central server.
Configure auditing to work with the Audit Remote Server (ARS).
See How to Send Audit Files to a Remote Repository in Managing Auditing in Oracle Solaris 11.2 .
Schedule the secure transfer of complete audit files to an audit review file system on a separate ZFS pool.
Monitor text summaries of selected audited events in the syslog utility
Activate the audit_syslog plugin, then monitor the reported events.
See How to Configure syslog Audit Logs in Managing Auditing in Oracle Solaris 11.2 .
Limit the size of audit files.
Set the p_fsize attribute for the audit_binfile plugin to a useful size. Consider your reviewing schedule, disk space, and cron job frequency, among other factors.
For examples, see How to Assign Audit Space for the Audit Trail in Managing Auditing in Oracle Solaris 11.2 .
Schedule the secure transfer of complete audit files to an audit review file system on a separate ZFS pool.
Review complete audit files on the audit review file system.