Managing Auditing in Oracle^® Solaris 11.3

Configuring the Audit Service

Before you enable auditing on your network, you can modify the defaults to satisfy your site auditing requirements. Best practice is to customize your audit configuration as much as possible before the first users log in.

If you have implemented zones, you can choose to audit all zones from the global zone or to audit non-global zones individually. For an overview, see Auditing and Oracle Solaris Zones. For planning, see Planning Auditing in Zones. For procedures, see Configuring the Audit Service in Zones.

To configure the audit service, you typically use auditconfig subcommands. The configuration that is set with these subcommands applies to the whole system.

• auditconfig -get* displays the current configuration of the parameter that is represented by the asterisk (*), as shown in the examples of Displaying Audit Service Defaults.

• auditconfig -set* assigns a value to the parameter that is represented by the asterisk (*), such as –setflags, –setpolicy, or –setqctrl. To configure classes for non-attributable events, you use the auditconfig setnaflags subcommand.

• auditconfig -conf configures kernel audit event to class mappings. Runtime class mappings are changed to match those in the audit event to class database file.

You can also customize auditing to apply to users or profiles rather than to the entire system. Audit class preselections for each user are specified by the audit_flags security attribute. These user-specific values, plus the preselected classes for the system, determine the user's audit mask, as described in Process Audit Characteristics.

By preselecting classes on a per user basis rather than on a per system basis, you can sometimes reduce the impact of auditing on system performance. Also, you might want to audit specific users slightly differently from the system.

To configure auditing that applies to users or profiles, you use the following commands:

• userattr displays the audit_flags value that is set for users. By default, users are audited for the system-wide settings only.

• usermod -K sets flags that apply to users.

• profile sets flags that apply to profiles.

For a description of the userattr command, see the userattr(1) man page. For a description of the audit_flags keyword, see the user_attr(4) and audit_flags(5) man pages.

The following task map points to the procedures for configuring auditing. All tasks are optional.

Table 4  Configuring the Audit Service Task Map

Task Description For Instructions Select which events are audited. Preselects system-wide audit classes. If an event is attributable, then all users are audited for this event. How to Preselect Audit Classes Select which events are audited for specific users. Sets user-specific differences from the system-wide audit classes. How to Configure a User's Audit Characteristics Specify audit policy. Defines additional audit data that your site requires. How to Change Audit Policy Specify queue controls. Modifies the default buffer size, audit records in the queue, and interval between writing audit records to the buffer. How to Change Audit Queue Controls Create the audit_warn email alias. Defines who receives email warnings when the audit service needs attention. How to Configure the audit_warn Email Alias Configure audit logs. Configures the location of audit records for each plugin. Configuring Local Audit Logs Add audit classes. Reduces the number of audit records by creating a new audit class to hold critical events. How to Add an Audit Class Change event-to-class mappings. Reduces the number of audit records by changing the event-class mapping. How to Change an Audit Event's Class Membership