Go to main content

Managing Auditing in Oracle® Solaris 11.4

Exit Print View

Updated: February 2019

Audit Service

The audit service, auditd, is enabled by default. To find out how to enable, refresh, or disable the service, see Enabling and Disabling the Audit Service.

The audit service tracks auditable actions that occur on a system. These auditable actions are defined as Audit Events. Each audit event is connected to a system call or user command and is assigned to one or more Audit Classes.

    Without customer configuration, the following defaults are in place:

  • All login events are audited.

    Both successful and unsuccessful login attempts are audited.

  • All users are audited for login and logout events, including role assumption and screen lock.

  • The audit_binfile plugin is active. /var/audit stores audit records The size of an audit file is not limited.

  • The cnt policy is set.

    When audit records fill the available disk space, the system tracks the number of dropped audit records. A warning is issued when one percent of available disk space remains.

To display the defaults, see Displaying Audit Service Defaults.

    The audit service enables you to set temporary, or active, values. These values can differ from configured, or property, values.

  • Temporary values are not restored when you refresh or restart the audit service.

    Audit policy accepts temporary values. Audit flags do not have a temporary value.

  • Configured values are stored as property values of the service, so they are restored when you refresh or restart the audit service.

Rights profiles control who can administer the audit service. For more information, see Rights Profiles for Administering Auditing.

By default, all zones are audited identically. See Auditing and Oracle Solaris Zones.