Managing Auditing in Oracle® Solaris 11.2

Exit Print View

Updated: July 2014

Audit Service Man Pages

The following table summarizes the major administrative man pages for the audit service.

Man Page
Command that controls the actions of the audit service
audit -n starts a new audit file for the audit_binfile plugin.
audit -s enables and refreshes auditing.
audit -t disables auditing.
audit -v verifies that at least one plugin is active.
Default audit plugin, which sends audit records to a binary file. See also Audit Plugins.
Audit plugin that sends audit records to a remote receiver.
Audit plugin that sends text summaries of audit records to the syslog utility.
File that contains the definitions of audit classes. The eight high-order bits are available for customers to create new audit classes. For more information about the effect of modifying this file on system upgrade, see How to Add an Audit Class.
File that contains the definitions of audit events and maps the events to audit classes. The mapping can be modified. For more information about the effect of modifying this file on system upgrade, see How to Change an Audit Event's Class Membership.
Describes the syntax of audit class preselection, the prefixes for selecting only failed events or only successful events, and the prefixes that modify an existing preselection.
Describes the naming of binary audit files, the internal structure of a file, and the structure of every audit token.
Script that notifies an email alias when the audit service encounters an unusual condition while writing audit records. You can customize this script for your site to warn of conditions that might require manual intervention or can specify how to handle those conditions automatically.
Command that retrieves and sets audit configuration parameters.
Issue this auditconfig with no options to display a list of parameters that can be retrieved and set.
Command that displays the definition of audit events in the /etc/security/audit_event file. For sample output, see Displaying Audit Record Definitions.
Command that post-selects and merges audit records that are stored in binary format. The command can merge audit records from one or more input audit files. The records remain in binary format.
Uppercase options affect file selection. Lowercase options affect record selection.
Command that displays kernel audit statistics. For example, the command can display the number of records in the kernel audit queue, the number of dropped records, and the number of audit records that user processes produced in the kernel as a result of system calls.
Command that reads audit records in binary format from standard input and displays the records in a presentable format. The input can be piped from the auditreduce command or from a single audit file or a list of audit files. Input can also be produced with the tail -0f command for a current audit file.
File that is configured to send text summaries of audit records to the syslog utility for the audit_syslog plugin.