Go to main content

Managing Auditing in Oracle® Solaris 11.4

Exit Print View

Updated: February 2019
 
 

How to Audit Significant Events in Addition to Login/Logout

Use this procedure to audit administrative commands, system access, and other significant events as specified by your site security policy.


Note -  The examples in this procedure might not be sufficient to satisfy your security policy.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Audit all uses of privileged commands by users who are assigned administrative rights profiles and roles by adding the cusa audit class to their preselection mask.
    # usermod -K audit_flags=cusa:no username
    # rolemod -K audit_flags=cusa:no rolename

    The audit classes that the cusa meta-class includes are listed in the /etc/security/audit_class file.

  2. Record the arguments to audited commands.
    # auditconfig -setpolicy +argv
  3. (Optional) Record the environment in which audited commands are executed.
    # auditconfig -setpolicy +arge

    Note -  This policy option can be useful when troubleshooting.

See Also

An alternative to this procedure is to audit all successful or failed events that use privilege. For information, see New Feature – Per-Privilege Logging of Audit Events.