Go to main content

Managing Auditing in Oracle^® Solaris 11.4

Exit Print View

» ...Documentation Home » Oracle Solaris 11.4 Information Library » Managing Auditing in Oracle^® ... » Managing the Audit Service » Selecting What Is Audited » New Feature – Per-Privilege Logging of Audit ...

Updated: November 2020

Managing Auditing in Oracle^® Solaris 11.4

Document Information

Using This Documentation

Chapter 1 About Auditing in Oracle Solaris

Chapter 2 Planning for Auditing

Chapter 3 Managing the Audit Service

Default Configuration of the Audit Service

sstore Audit Meta-Class

Displaying Audit Service Defaults

Enabling and Disabling the Audit Service

Configuring the Audit Service

Configuring Audit With the auditconfig Subcommands

Auditing Per User or Rights Profile

New Feature – Auditing Events Temporarily

New Feature – Refreshing the auditset SMF Service After Changing Event-Class Mappings

New Feature – Auditing Verified Boot

New Feature – auditstat Command Extended

Audit Configuration Task Map

How to Preselect Audit Classes

How to Configure a User's Audit Characteristics

How to Change Audit Policy

How to Configure the audit_warn Email Alias

How to Add an Audit Class

How to Change an Audit Event's Class Membership

New Feature – Annotating Reason for Access in the Audit Record

Configuring Annotation

PAM Supports Annotation of Logins

Tracking Annotations in an Audit Trail

Selecting What Is Audited

How to Audit All Commands by Users

How to Audit Significant Events in Addition to Login/Logout

How to Find Audit Records of Changes to Specific Files

New Feature – Per-Object Logging of Audit Events

New Feature – Per-Privilege Logging of Audit Events

Specifying Files or Directories to Be Audited

How to Update the Preselection Mask of Logged In Users

How to Prevent the Auditing of Specific Events

How to Compress Audit Files on a Dedicated File System

How to Audit FTP and SFTP File Transfers

Configuring the Audit Service in Zones

How to Configure All Zones Identically for Auditing

How to Configure Per-Zone Auditing

Example: Configuring Oracle Solaris Auditing

New Feature – Restricting Access to Audit Records With File Labeling

Chapter 4 Configuring the Formats of Audit Logs and Where They Are Stored

Chapter 5 Viewing Audit Records

Chapter 6 Analyzing and Resolving Audit Issues

Chapter 7 Auditing Reference

Audit Service Glossary

Language:

New Feature – Per-Privilege Logging of Audit Events

The admhist command uses a new pe audit class that automatically tracks, through the lifetime of a process, the successful use of privilege. The audit record shows the privileges that enabled the process to change the system's configuration.

Note - For information about the admhist command, see New Feature – Viewing a Summary of Audit Records.

By default, only successful use of privilege is monitored.

To include failed use of privilege in your audit reports, use the following auditconfig subcommands to modify which privileges are monitored and whether to monitor success or failure:

–setfprivs – Sets the privileges to monitor for failure
–setsprivs – Sets the privileges to monitor for success
–getfprivs – Displays the privileges to monitor for failed use
–getsprivs – Displays the privileges to monitor for successful use

Note - You can set the privileges temporarily with the –t option as follows:

$ auditconfig -setsprivs privileges -t

Similarly, to display only the temporary settings, add –t to the getsprivs or getfprivs options.

To add specific privileges to the existing settings, include a plus as follows:

...setsprivs +privileges

To remove specific privileges, include a minus as follows:

...setsprivs -privileges

Use the following command to view successful events and failed events that you are auditing with pe:

$ auditreduce -m AUE_CMD_PRIVS | praudit

For more information, see the auditconfig(8) and auditreduce(8) man pages.

Copyright © 2002, 2020, Oracle and/or its affiliates.