The audit service has a default configuration and is immediately operational on the global zone after you install Oracle Solaris. No additional action is required to enable or configure the service to become usable. Run the following command to determine your default configuration:
$ auditconfig -getflags configured user default audit flags = sstore(0x200031000,0x200031000) active user default audit flags = sstore(0x200031000,0x200031000)
Because the service's default configuration has no performance impact on the system, disabling the service on performance grounds is not required.
Provided that you have the appropriate audit-related rights, such as those in the Audit Review Rights profile, you can review the audit logs. The logs are stored in /var/audit. You view these files by using the praudit and auditreduce commands. For more information, see Displaying Audit Trail Data.
sstore is the audit meta-class which represents the group of events consumed by the Oracle Solaris StatsStore. The sstore meta-class is the default system-wide audit preselection mask.
For more information, see the audit_class(5) man page.
The audit service is regulated by the following parameters:
Classes of attributable and non-attributable events
To display the audit service defaults, you typically use the auditconfig -get* subcommands. These subcommands display the current configuration of the parameter that is represented by the asterisk (*), such as –getflags, –getpolicy, or –getqctrl. To display information about classes for non-attributable events, use the auditconfig -getnaflags subcommand.
For more information about the auditconfig command, see the auditconfig(8) man page.
The following examples show the appropriate command syntax to use to display the default audit configuration settings.Example 1 Displaying the Default Class for Events
In this example, two subcommands display the preselected classes for attributable and non-attributable events respectively. To see which events are assigned to a class, and therefore which events are being recorded, run the auditrecord -c class command.
Display the preselected classes for attributable events.
$ pfbash ; auditconfig -getflags active user default audit flags = sstore(0x1000,0x1000) configured user default audit flags = sstore(0x1000,0x1000)
sstore is the audit meta-class. See sstore Audit Meta-Class. The format of the mask output is (success,failure).
Display the preselected class for non-attributable events.
$ auditconfig -getnaflags active non-attributable audit flags = lo(0x1000,0x1000) configured non-attributable audit flags = lo(0x1000,0x1000)Example 2 Displaying the Default Audit Policy
$ auditconfig -getpolicy configured audit policies = cnt active audit policies = cnt
The active policy is the current policy, but the policy value is not being stored by the audit service. The configured policy is stored by the audit service, so the policy is restored when you restart the audit service.Example 3 Displaying the Default Audit Plugins
$ auditconfig -getplugin Plugin: audit_binfile Attributes: p_age=Oh;p_dir=/var/audit;p_fsize=4M;p_minfree=1; Plugin: audit_syslog (inactive) Attributes: p_flags=; Plugin: audit_remote (inactive) Attributes: p_hosts=;p_retries=3;p_timeout=5;
The audit_binfile plugin is active by default.
The audit service is enabled by default. If the perzone audit policy is set, zone administrators must enable, refresh, or disable the audit service in each non-global zone as desired. If the perzone audit policy is not set, enabling, refreshing, or disabling the audit service from the global zone is effective for all non-global zones.
To disable or enable the audit service, you must become an administrator who is assigned the Audit Control rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
To disable the audit service, use the following command:
$ pfbash ; audit -t
To enable the audit service, use the following command:
$ audit -s
To verify that the audit service is running, use the following command:
$ auditconfig -getcond audit condition = auditing
If the perzone audit policy is set, then you must perform this verification in the non-global zones where you enabled auditing.