Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: March 2019

Auditing in Trusted Extensions

Auditing in Trusted Extensions requires the same planning as in the Oracle Solaris OS. For details about planning, see Chapter 2, Planning for Auditing in Managing Auditing in Oracle Solaris 11.4.

    On a system that is configured with Trusted Extensions software, auditing is configured and is administered similarly to auditing on an Oracle Solaris system with some differences.

  • Per-zone auditing is discouraged, because it requires a root account in a labeled zone.

    Because audit configuration is performed in the global zone, user actions are audited identically in the global zone and in labeled zones.

  • In addition to the root role, the System Administrator and Security Administrator roles configure and administer auditing in Trusted Extensions.

    • The root role assigns audit flags to users and rights profiles, and edits system files, such as the audit_warn script.

    • The System Administrator role sets up the disks and the network of audit storage. This role creates an audit administration server and reviews audit logs.

    • The Security Administrator role decides what is to be audited and configures auditing. The initial setup team created this role by completing How to Create the Security Administrator Role in Trusted Extensions.

    Note -  A system only records the events in audit classes that the security administrator has preselected. Therefore, any subsequent audit review can only consider the events that have been recorded. As a result of misconfiguration, attempts to breach the security of the system can go undetected, or the administrator is unable to detect the user who is responsible for an attempted breach of security. Administrators must regularly analyze audit trails to check for breaches of security.
  • Trusted Extensions software adds audit events to the system.

    The new audit events and their audit classes are listed in the /etc/security/audit_event file. The audit event numbers for Trusted Extensions are between 9000 and 10000. See also the audit_event(5) man page.