Go to main content

Managing Auditing in Oracle® Solaris 11.4

Exit Print View

Updated: February 2019
 
 

New Feature – Displaying Auditing Data Graphically

In addition to the auditing tools that are described in Viewing Audit Records, administrators can use two new tools, the Oracle Solaris StatsStore and Oracle Solaris Analytics.

The Oracle Solaris StatsStore collects data from multiple sources such as SMF services, FMA, and the auditing system, and collects statistics from sources such as kstat, dtrace, and some applications. A related new tool, Oracle Solaris Analytics, provides graphic diagnosis tools that you can use to analyze data from the StatsStore to monitor and troubleshoot system activity.

Access to auditing data in the StatsStore and in Oracle Solaris Analytics requires the solaris.sstore.read.audit authorization. This authorization is granted to the Audit Review rights profile.

Viewing Audit Data in the Statistics Store

By default, audit records in the sstore meta-class are automatically forwarded to the StatsStore.

The sstore meta-class has replaced the lo class as the default set of audit flags. Audit classes included in the sstore meta-class are: lo, ss, as, and pe.

The total number of written audit records is provided as a statistic in the StatsStore. In addition, each configured audit class as defined in the audit_class file, has a corresponding total number of records that is generated as a statistic in the StatsStore, along with the total number of failed events and passed events for each audit class.

If auditing was configured for all audit records to be recorded only in the global zone, only the global zone's StatsStore receives audit class statistics. If auditing was configured so that each zone records audits independently, each zone's StatsStore receives audit class statistics.

Application developers who want to customize content in the StatsStore should see Adding Custom Data to the Oracle Solaris 11.4 StatsStore and System Web Interface.

Analytics' Auditing Sheet

The Oracle Solaris Analytics tool provides problem diagnosis tools that use the data from the Oracle Solaris StatsStore, including statistics about audit events. In the Analytics auditing sheet, administrators can review the amount of activity by audit class for specific time periods, and they can drill down in each graphic to view specific audit events.

    The Analytics auditing sheet provides graphical summaries of audit events by class that cover:

  • Monitoring system administration and access activity

  • Monitoring other audit event categories, such as networking and application activity

  • Monitoring file access activity

The Analytics auditing sheet uses descriptive class names that map to existing audit class names. The mapping is very similar to the mapping in the /etc/security/audit_class file.

For more information about the StatsStore and the Analytics tool, review Using Oracle Solaris 11.4 StatsStore and System Web Interface.