Go to main content

Managing Auditing in Oracle^® Solaris 11.4

Exit Print View

» ...Documentation Home » Oracle Solaris 11.4 Information Library » Managing Auditing in Oracle^® ... » Managing the Audit Service » Selecting What Is Audited » How to Audit Significant Events in Addition to ...

Updated: November 2020

Managing Auditing in Oracle^® Solaris 11.4

Document Information

Using This Documentation

Chapter 1 About Auditing in Oracle Solaris

Chapter 2 Planning for Auditing

Chapter 3 Managing the Audit Service

Default Configuration of the Audit Service

sstore Audit Meta-Class

Displaying Audit Service Defaults

Enabling and Disabling the Audit Service

Configuring the Audit Service

Configuring Audit With the auditconfig Subcommands

Auditing Per User or Rights Profile

New Feature – Auditing Events Temporarily

New Feature – Refreshing the auditset SMF Service After Changing Event-Class Mappings

New Feature – Auditing Verified Boot

New Feature – auditstat Command Extended

Audit Configuration Task Map

How to Preselect Audit Classes

How to Configure a User's Audit Characteristics

How to Change Audit Policy

How to Configure the audit_warn Email Alias

How to Add an Audit Class

How to Change an Audit Event's Class Membership

New Feature – Annotating Reason for Access in the Audit Record

Configuring Annotation

PAM Supports Annotation of Logins

Tracking Annotations in an Audit Trail

Selecting What Is Audited

How to Audit All Commands by Users

How to Audit Significant Events in Addition to Login/Logout

How to Find Audit Records of Changes to Specific Files

New Feature – Per-Object Logging of Audit Events

New Feature – Per-Privilege Logging of Audit Events

Specifying Files or Directories to Be Audited

How to Update the Preselection Mask of Logged In Users

How to Prevent the Auditing of Specific Events

How to Compress Audit Files on a Dedicated File System

How to Audit FTP and SFTP File Transfers

Configuring the Audit Service in Zones

How to Configure All Zones Identically for Auditing

How to Configure Per-Zone Auditing

Example: Configuring Oracle Solaris Auditing

New Feature – Restricting Access to Audit Records With File Labeling

Chapter 4 Configuring the Formats of Audit Logs and Where They Are Stored

Chapter 5 Viewing Audit Records

Chapter 6 Analyzing and Resolving Audit Issues

Chapter 7 Auditing Reference

Audit Service Glossary

Language:

How to Audit Significant Events in Addition to Login/Logout

Use this procedure to audit administrative commands, system access, and other significant events as specified by your site security policy.

Note - The examples in this procedure might not be sufficient to satisfy your security policy.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

Audit all uses of privileged commands by users who are assigned administrative rights profiles and roles by adding the cusa audit class to their preselection mask.
```
# usermod -K audit_flags=cusa:no username
```
```
# rolemod -K audit_flags=cusa:no rolename
```
The audit classes that the cusa meta-class includes are listed in the /etc/security/audit_class file.
Record the arguments to audited commands.
```
# auditconfig -setpolicy +argv
```
(Optional) Record the environment in which audited commands are executed.
```
# auditconfig -setpolicy +arge
```
Note - This policy option can be useful when troubleshooting.

See Also

An alternative to this procedure is to audit all successful or failed events that use privilege. For information, see New Feature – Per-Privilege Logging of Audit Events.

Copyright © 2002, 2020, Oracle and/or its affiliates.