Configuring and Using Solaris Audit Logs

Determine your Solaris auditing policy. The "Oracle Solaris Auditing" section in the publication Oracle System Administration: Security Services can help you plan for what events to audit, where your audit logs should be saved, and how you want to review them.

If you have not enabled custom Solaris audit trails, these audit trails of logins and Unix commands issued by the acsss, acsdb, and acssa users are available:

Users who are currently signed on to Unix are recorded in the Unix utmpx and past user access is recorded in the wtmpx database.
Use the last command to see all access to a user ID (for example, last acsss). For more information see the man pages for: wtmpx, last, and getutxent.
The .*_history (that is [dot]*_history) files in a user’s home directory record the commands issued by that user.
For the acsss user these may include:
- .bash_history
- .psql_history
- .sh_history
On Solaris /var/adm/sulog records successful and unsuccessful attempts to execute su and become superuser or another user.