Managing Auditing in Oracle® Solaris 11.2

Exit Print View

Updated: July 2014

Audit Service

The audit service, auditd, is enabled by default. To find out how to enable, refresh, or disable the service, see Enabling and Disabling the Audit Service.

    Without customer configuration, the following defaults are in place:

  • All login events are audited.

    Both successful and unsuccessful login attempts are audited.

  • All users are audited for login and logout events, including role assumption and screen lock.

  • The audit_binfile plugin is active. The /var/audit directory stores audit records, the size of an audit file is not limited, and the queue size is 100 records.

  • The cnt policy is set.

    When audit records fill the available disk space, the system tracks the number of dropped audit records. A warning is issued when one percent of available disk space remains.

  • The following audit queue controls are set:

    • Maximum number of records in the audit queue before generating the records locks is 100

    • Minimum number of records in the audit queue before blocked auditing processes unblock is 10

    • Buffer size for the audit queue is 8192 bytes

    • Interval between writing audit records to the audit trail is 20 seconds

To display the defaults, see Displaying Audit Service Defaults.

    The audit service enables you to set temporary, or active, values. These values can differ from configured, or property, values.

  • Temporary values are not restored when you refresh or restart the audit service.

    Audit policy and audit queue controls accept temporary values. Audit flags do not have a temporary value.

  • Configured values are stored as property values of the service, so they are restored when you refresh or restart the audit service.

Rights profiles control who can administer the audit service. For more information, see Rights Profiles for Administering Auditing.

By default, all zones are audited identically. See Auditing and Oracle Solaris Zones.