The audit_remote plugin sends the binary audit trail to an ARS in the same format as the audit_binfile plugin writes to the local audit files. The audit_remote plugin uses the libgss library to authenticate the ARS, and a GSS-API mechanism to protect the transmission with privacy and integrity. For reference, see What Is the Kerberos Service? in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.2 and Kerberos Utilities in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.2 .
The only currently supported GSS-API mechanism is kerberosv5. For more information, see the mech (4) man page.
To verify whether a Kerberos realm is configured, issue the following command. The sample output indicates that Kerberos is not installed on the system.
# pkg info system/security/kerberos-5 pkg: info: no packages matching these patterns are installed on the system.
Before You Begin
This procedure assumes that you are using the audit_remote plugin.
You can use the system that will serve as the ARS, or you can use a nearby system. The ARS sends a significant amount of authentication traffic to the master KDC.
# pkg install pkg:/system/security/kerberos-5
On the master KDC, you use the Kerberos kdcmgr and kadmin commands to manage the realm. For more information, see the kdcmgr (1M) and kadmin (1M) man pages.
# pkg install pkg:/system/security/kerberos-5
This package includes the kclient command. On these systems, you run the kclient command to connect with the KDC. For more information, see the kclient (1M) man page.
If the clock skew is too big between the audited systems and the ARS, the attempt at connection will fail. After a connection is established, the local time on the ARS determines the names of the stored audit files, as described in Conventions for Binary Audit File Names.
For more information about the clocks, see Ensuring Reliable Time Stamps.