If your system contains non-global zones, the zones can be audited as the global zone is audited, or the audit service for each non-global zone can be configured, enabled, and disabled separately. For example, you could audit only the non-global zones and not audit the global zone.
For a discussion of the trade-offs, see Auditing on a System With Oracle Solaris Zones.
The following options are available when implementing auditing in zones.
Auditing all zones identically can create a single-image audit trail. A single-image audit trail occurs when you are using the audit_binfile or the audit_remote plugin, and all zones on a system are part of one administrative domain. The audit records can then be easily compared because the records in every zone are preselected with identical settings.
This configuration treats all zones as part of one system. The global zone runs the only audit service on a system and collects audit records for every zone. You customize the audit_class and audit_event files only in the global zone, then copy these files to every non-global zone.
Use the following guidelines when configuring a single audit service for all the zones.
Use the same naming service for every zone.
Enable the audit records to include the name of the zone.
To put the zone name as part of the audit record, set the zonename policy in the global zone. The auditreduce command can then select audit events by zone from the audit trail. For an example, see the auditreduce (1M) man page.
To plan a single-image audit trail, refer to How to Plan Who and What to Audit. Start with the first step. The global zone administrator must also set aside storage, as described in How to Plan Disk Space for Audit Records.
Choose to configure per-zone auditing if different zones use different naming service databases, or if zone administrators want to control auditing in their zones.
When you configure per-zone auditing, you set the perzone audit policy in the global zone. If per-zone auditing is set before a non-global zone is first booted, auditing begins at the zone's first boot. To set audit policy, see How to Configure Per-Zone Auditing.
Each zone administrator configures auditing for the zone.
A non-global zone administrator can set all policy options except perzone and ahlt.
Each zone administrator can enable or disable auditing in the zone.