Go to main content

Managing Auditing in Oracle® Solaris 11.3

Exit Print View

Updated: April 2019

What Is Auditing?

Auditing is the collecting of data about the use of system resources. The audit data provides a record of security-related system events. This data can then be used to assign responsibility for actions that take place on a system.

Successful auditing starts with identification and authentication. At each login, after a user supplies a user name and PAM (pluggable authentication module) authentication succeeds, a unique and immutable audit user ID is generated and associated with the user, and a unique audit session ID is generated and associated with the user's process. The audit session ID is inherited by every process that is started during that login session. When a user switches to another user, all user actions are tracked with the same audit user ID. For more details about switching identity, see the su(1M) man page. Note that by default, certain actions such as booting and shutting down the system are always audited.

    The audit service enables the following operations:

  • Monitoring security-relevant events that take place on the system

  • Recording the events in a network-wide audit trail

  • Detecting misuse or unauthorized activity

  • Reviewing patterns of access and the access histories of individuals and objects

  • Discovering attempts to bypass the protection mechanisms

  • Discovering extended use of privilege that occurs when a user changes identity

Note -  To maintain security, audited events do not include sensitive information such as passwords. For more details, see Audit Records and Audit Tokens.