You want to be selective about what kinds of activities are audited. At the same time, you want to collect useful audit information. You also need to carefully plan who to audit and what to audit. If you are using the default audit_binfile plugin, note that audit files can quickly grow to fill the available space.
Systems within a single administrative domain can create a single-system image audit trail.
To create a single-system image audit trail for a site, follow these requirements:
Use the same naming service for all systems.
For correct interpretation of the audit records, the passwd, group, and hosts files must be consistent.
Configure the audit service identically on all systems. For information about displaying and modifying the service settings, see the auditconfig(1M) man page.
Use the same audit_warn, audit_event, and audit_class files for all systems.
Refer to How to Plan Who and What to Audit for additional considerations for enabling auditing on the systems.
If your system contains non-global zones, the zones can be audited as the global zone is audited, or the audit service for each non-global zone can be configured, enabled, and disabled separately. For example, you could audit only the non-global zones and not audit the global zone.
For a discussion of the trade-offs, see Auditing on a System With Oracle Solaris Zones.
The following options are available when implementing auditing in zones.
Auditing all zones identically can create a single-image audit trail. A single-image audit trail occurs when you are using the audit_binfile or the audit_remote plugin, and all zones on a system are part of one administrative domain. The audit records can then be easily compared because the records in every zone are preselected with identical settings.
This configuration treats all zones as part of one system. The global zone runs the only audit service on a system and collects audit records for every zone. You customize the audit_class and audit_event files only in the global zone, then copy these files to every non-global zone.
Use the following guidelines when configuring a single audit service for all the zones.
Use the same naming service for every zone.
Enable the audit records to include the name of the zone.
To put the zone name as part of the audit record, set the zonename policy in the global zone. The auditreduce command can then select audit events by zone from the audit trail. For an example, see the auditreduce(1M) man page.
To plan a single-image audit trail, refer to How to Plan Who and What to Audit. Start with the first step. The global zone administrator must also set aside storage, as described in How to Plan Disk Space for Audit Records.
Choose to configure per-zone auditing if different zones use different naming service databases, or if zone administrators want to control auditing in their zones.
When you configure per-zone auditing, you set the perzone audit policy in the global zone. If per-zone auditing is set before a non-global zone is first booted, auditing begins at the zone's first boot. To set audit policy, see How to Configure Per-Zone Auditing.
Each zone administrator configures auditing for the zone.
A non-global zone administrator can set all policy options except perzone and ahlt.
Each zone administrator can enable or disable auditing in the zone.
To generate records that can be traced to their originating zone during review, set the zonename audit policy.