Before you enable auditing on your network, you can modify the defaults to satisfy your site auditing requirements. Best practice is to customize your audit configuration as much as possible before the first users log in.
If you have implemented zones, you can choose to audit all zones from the global zone or to audit non-global zones individually. For an overview, see Auditing and Oracle Solaris Zones. For planning, see Planning Auditing in Zones. For procedures, see Configuring the Audit Service in Zones.
To configure the audit service, you typically use auditconfig subcommands. The configuration that is set with these subcommands applies to the whole system.
auditconfig -get* displays the current configuration of the parameter that is represented by the asterisk (*), as shown in the examples of Displaying Audit Service Defaults.
auditconfig -set* assigns a value to the parameter that is represented by the asterisk (*), such as –setflags, –setpolicy, or –setqctrl. To configure classes for non-attributable events, you use the auditconfig setnaflags subcommand.
auditconfig -conf configures kernel audit event to class mappings. Runtime class mappings are changed to match those in the audit event to class database file.
You can also customize auditing to apply to users or profiles rather than to the entire system. Audit class preselections for each user are specified by the audit_flags security attribute. These user-specific values, plus the preselected classes for the system, determine the user's audit mask, as described in Process Audit Characteristics.
By preselecting classes on a per user basis rather than on a per system basis, you can sometimes reduce the impact of auditing on system performance. Also, you might want to audit specific users slightly differently from the system.
To configure auditing that applies to users or profiles, you use the following commands:
userattr displays the audit_flags value that is set for users. By default, users are audited for the system-wide settings only.
usermod -K sets flags that apply to users.
profile sets flags that apply to profiles.
The following task map points to the procedures for configuring auditing. All tasks are optional.