Managing Auditing in Oracle® Solaris 11.2

Exit Print View

Updated: July 2014
 
 

Planning Auditing in Zones

If your system contains non-global zones, the zones can be audited as the global zone is audited, or the audit service for each non-global zone can be configured, enabled, and disabled separately. For example, you could audit only the non-global zones and not audit the global zone.

For a discussion of the trade-offs, see Auditing on a System With Oracle Solaris Zones.

The following options are available when implementing auditing in zones.

Implementing One Audit Service for All Zones

Auditing all zones identically can create a single-image audit trail. A single-image audit trail occurs when you are using the audit_binfile or the audit_remote plugin, and all zones on a system are part of one administrative domain. The audit records can then be easily compared because the records in every zone are preselected with identical settings.

This configuration treats all zones as part of one system. The global zone runs the only audit service on a system and collects audit records for every zone. You customize the audit_class and audit_event files only in the global zone, then copy these files to every non-global zone.

    Use the following guidelines when configuring a single audit service for all the zones.

  • Use the same naming service for every zone.


    Note -  If naming service files are customized in non-global zones, and perzone policy is not set, then careful use of the audit tools is required to select usable records. A user ID in one zone can refer to a different user from the same ID in a different zone.
  • Enable the audit records to include the name of the zone.

    To put the zone name as part of the audit record, set the zonename policy in the global zone. The auditreduce command can then select audit events by zone from the audit trail. For an example, see the auditreduce (1M) man page.

To plan a single-image audit trail, refer to How to Plan Who and What to Audit. Start with the first step. The global zone administrator must also set aside storage, as described in How to Plan Disk Space for Audit Records.

Implementing One Audit Service Per Zone

Choose to configure per-zone auditing if different zones use different naming service databases, or if zone administrators want to control auditing in their zones.


Note -  To audit non-global zones, the perzone policy must be set but the audit service does not have to be enabled in the global zone. Non-global zone auditing is configured and its audit service is enabled and disabled separately from the global zone.
  • When you configure per-zone auditing, you set the perzone audit policy in the global zone. If per-zone auditing is set before a non-global zone is first booted, auditing begins at the zone's first boot. To set audit policy, see How to Configure Per-Zone Auditing.

  • Each zone administrator configures auditing for the zone.

    A non-global zone administrator can set all policy options except perzone and ahlt.

  • Each zone administrator can enable or disable auditing in the zone.

  • To generate records that can be traced to their originating zone during review, set the zonename audit policy.


Note -  In per zone auditing, if the audit_binfile plugin is active, each zone administrator must also set aside storage for every zone, as described in How to Plan Disk Space for Audit Records. For additional planning instructions, see How to Plan Who and What to Audit.