Go to main content

Managing Auditing in Oracle® Solaris 11.4

Exit Print View

Updated: February 2019
 
 

What Is Auditing?

Auditing is the collecting of data about the use of system resources. The audit data provides a record of security-related system events. This data can then be used to assign responsibility for actions that take place on a system.

Successful auditing starts with identification and authentication. At each login, after a user supplies a user name and PAM (pluggable authentication module) authentication succeeds, a unique and immutable audit user ID is generated and associated with the user, and a unique audit session ID is generated and associated with the user's Process Audit Characteristics. The audit session ID is inherited by every process that is started during that login session. When a user assumes a role or switches to another user, all original user actions are tracked with the same immutable audit user ID. For more details about assuming a role (switching identity), see the su(8) man page. Note that by default, certain actions such as booting and shutting down the system are always audited.

    The audit service enables the following operations:

  • Monitoring security-relevant events that take place on the system

  • Recording the events in a network-wide audit trail

  • Detecting misuse or unauthorized activity

  • Reviewing patterns of access and the access histories of individuals and objects

  • Discovering attempts to bypass the protection mechanisms

  • Discovering extended use of privilege that occurs when a user changes identity


Note -  To maintain security, audited events do not include sensitive information such as passwords. For more details, see Audit Records and Audit Tokens.