Go to main content

Managing Auditing in Oracle® Solaris 11.4

Exit Print View

Updated: February 2019

New Feature – Per-Privilege Logging of Audit Events

The admhist command uses a new pe audit class that automatically tracks, through the lifetime of a process, the successful use of privilege. The audit record shows the privileges that enabled the process to change the system's configuration.

Note -  For information about the admhist command, see New Feature – Viewing a Summary of Audit Records.

By default, only successful use of privilege is monitored.

To include failed use of privilege in your audit reports, use the following auditconfig subcommands to modify which privileges are monitored and whether to monitor success or failure:

  • –setfprivs – Sets the privileges to monitor for failure

  • –setsprivs – Sets the privileges to monitor for success

  • –getfprivs – Displays the privileges to monitor for failed use

  • –getsprivs – Displays the privileges to monitor for successful use

Note -  You can set the privileges temporarily with the –t option as follows:
$ auditconfig -setsprivs privileges -t

Similarly, to display only the temporary settings, add –t to the getsprivs or getfprivs options.

To add specific privileges to the existing settings, include a plus as follows:

...setsprivs +privileges

To remove specific privileges, include a minus as follows:

...setsprivs -privileges

Use the following command to view successful events and failed events that you are auditing with pe:

$ auditreduce -m AUE_CMD_PRIVS | praudit

For more information, see the auditconfig(8) and auditreduce(8) man pages.