Go to main content

Managing Auditing in Oracle® Solaris 11.4

Exit Print View

Updated: February 2019

Audit Service Glossary

These glossary entries cover words that can be ambiguous because they are used differently in different parts of the operating system, or have meanings in Oracle Solaris that are distinct from other operating systems.

asynchronous audit event

Asynchronous events are the minority of audit events. These system events are not associated with any process, so no process is available to be blocked and later woken up. Initial system boot and PROM enter and exit events are examples of asynchronous events. See audit event.

attributable audit event

An audit event on a system that can be attributed to a user.

audit class

A convenient container for large numbers of audit events. See audit event.

audit event

Each audit event represents an auditable action on a system. Each audit event is connected to a system call or user command, and is assigned to one or more audit classes. An audit event can be either an asynchronous audit event or a non-attributable audit event. Also see attributable audit event.

audit files

Binary audit logs. Audit files are stored separately in an audit file system.

audit policy

The global and per-user settings that determine which audit events are recorded. The global settings that apply to the audit service typically affect which pieces of optional information are included in the audit trail. Two settings, cnt and ahlt, affect the operation of the system when the audit queue fills. For example, audit policy might require that a sequence number be part of every audit record.

audit trail

The collection of all audit files from all systems.

non-attributable audit event

An audit event whose initiator cannot be determined, such as the AUE_BOOT event.


Generally, a plan or course of action that influences or determines decisions and actions. For computer systems, policy typically means security policy. Your site's security policy is the set of rules that define the sensitivity of the information that is being processed and the measures that are used to protect the information from unauthorized access. For example, security policy might require that systems be audited, that devices must be allocated for use, and that passwords be changed every six weeks.

See audit policy.

public object

A file that is owned by the root user and readable by the world, such as any file in the /etc directory.


An alternative to the all-or-nothing superuser model. User rights management and process rights management enable an organization to divide up superuser's privileges and assign them to users or roles. Rights in Oracle Solaris are implemented as kernel privileges, authorizations, and the ability to run a process as a specific UID or GID. Rights can be collected in a rights profile and a role.

security policy

See policy.

single-system image

A single-system image is used in Oracle Solaris auditing to describe a group of audited systems that use the same naming service. These systems send their audit records to a central audit server, where the records can be compared as if the records came from one system.

synchronous audit event

The majority of audit events. These events are associated with a process in the system. A non-attributable event that is associated with a process is a synchronous event, such as a failed login. See audit event.