Go to main content

Managing Auditing in Oracle® Solaris 11.3

Exit Print View

Updated: December 2018
 
 

How Does Auditing Work?

    Auditing generates audit records when specified events occur. Most commonly, events that generate audit records include the following:

  • System startup and system shutdown

  • Login and logout

  • Process creation or process destruction, or thread creation or thread destruction

  • Opening, closing, creating, destroying, or renaming of objects

  • Use of rights

  • Identification actions and authentication actions

  • Permission changes by a process or user

  • Administrative actions, such as installing a package

  • Site-specific applications

    Audit records are generated from three sources:

  • By an application

  • As a result of an asynchronous audit event

  • As a result of a process system call

After the relevant event information has been captured, the information is formatted into an audit record. Contained in each audit record is information that identifies the event, what caused the event, the time of the event, and other relevant information. This record is then placed in an audit queue and sent to the active plugins for storage. At least one plugin must be active or the remote audit server must be configured, although all plugins can be active. Plugins are described in How Is Auditing Configured? and Audit Plugin Modules.