Managing Auditing in Oracle® Solaris 11.2

Exit Print View

Updated: July 2014

What Is Auditing?

Auditing is the collecting of data about the use of system resources. The audit data provides a record of security-related system events. This data can then be used to assign responsibility for actions that take place on a host.

Successful auditing starts with two security features: identification and authentication. At each login, after a user supplies a user name and PAM (pluggable authentication module) authentication succeeds, a unique and immutable audit user ID is generated and associated with the user, and a unique audit session ID is generated and associated with the user's process. The audit session ID is inherited by every process that is started during that login session. When a user switches to another user, all user actions are tracked with the same audit user ID. For more details about switching identity, see the su (1M) man page. Note that by default, certain actions such as booting and shutting down the system are always audited.

    The audit service enables the following operations possible:

  • Monitoring security-relevant events that take place on the host

  • Recording the events in a network-wide audit trail

  • Detecting misuse or unauthorized activity

  • Reviewing patterns of access and the access histories of individuals and objects

  • Discovering attempts to bypass the protection mechanisms

  • Discovering extended use of privilege that occurs when a user changes identity

Note -  To maintain security, not all audited events are viewable such as changed passwords. For more details, see Audit Records and Audit Tokens.