The audit service has a default configuration and is immediately operational on the global zone after you install Oracle Solaris. No additional action is required to enable or configure the service to become usable. With its default configuration, the audit service records the following operations:
Login and logout operations
Use of the su command
Screen lock and screen unlock operations
Because the service's default configuration has no performance impact on the system, disabling the service on performance grounds is not required.
Provided that you have the appropriate audit-related rights, such as those in the Audit Review Rights profile, you can review the audit logs. The logs are stored in /var/audit. You view these files by using the praudit and auditreduce commands. For more information, see Displaying Audit Trail Data.
The subsequent sections in this chapter provide instructions for customizing the audit service configuration, if the default configuration is insufficient for your needs.
The audit service is regulated by the following parameters:
Classes of attributable and non-attributable events
To display the audit service defaults, you typically use the auditconfig -get* subcommands. These subcommands display the current configuration of the parameter that is represented by the asterisk (*), such as –getflags –getpolicy, or –getqctrl. To display information about classes for non-attributable events, use the auditconfig -getnaflags subcommand.
For more information about the auditconfig command, see the auditconfig(1M) man page.
The following examples show the appropriate command syntax to use to display the default audit configuration settings.Example 1 Displaying the Default Class for Events
In this example, two subcommands display the preselected classes for attributable and non-attributable events respectively. To see which events are assigned to a class, and therefore which events are being recorded, run the auditrecord -c class command.
# auditconfig -getflags active user default audit flags = lo(0x1000,0x1000) configured user default audit flags = lo(0x1000,0x1000)
lo is the flag for the login/logout audit class. The format of the mask output is (success,failure).
# auditconfig -getnaflags active non-attributable audit flags = lo(0x1000,0x1000) configured non-attributable audit flags = lo(0x1000,0x1000)Example 2 Displaying the Default Audit Policy
$ auditconfig -getpolicy configured audit policies = cnt active audit policies = cnt
The active policy is the current policy, but the policy value is not being stored by the audit service. The configured policy is stored by the audit service, so the policy is restored when you restart the audit service.Example 3 Displaying the Default Audit Plugins
$ auditconfig -getplugin Plugin: audit_binfile Attributes: p_age=Oh;p_dir=/var/audit;p_fsize=4M;p_minfree=1; Plugin: audit_syslog (inactive) Attributes: p_flags=; Plugin: audit_remote (inactive) Attributes: p_hosts=;p_retries=3;p_timeout=5;
The audit_binfile plugin is active by default.Example 4 Displaying the Audit Queue Controls
$ auditconfig -getqctrl no configured audit queue hiwater mark no configured audit queue lowater mark no configured audit queue buffer size no configured audit queue delay active audit queue hiwater mark (records) = 100 active audit queue lowater mark (records) = 10 active audit queue buffer size (bytes) = 8192 active audit queue delay (ticks) = 20
The active queue control is the queue control that is currently used by the kernel. The string no configured indicates that the system is using the default values.
The audit service is enabled by default. If the perzone audit policy is set, zone administrators must enable, refresh, or disable the audit service in each non-global zone as desired. If the perzone audit policy is not set, enabling, refreshing, or disabling the audit service from the global zone is effective for all non-global zones.
To disable or enable the audit service, you must become an administrator who is assigned the Audit Control rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
To disable the audit service, use the following command:
# audit -t
To enable the audit service, use the following command:
# audit -s
To verify that the audit service is running, use the following command:
# auditconfig -getcond audit condition = auditing
If the perzone audit policy is set, then you must perform this verification in the non-global zones where you enabled auditing.