How Does Auditing Work?
Auditing generates audit records when specified events occur. Most commonly, events that generate
audit records include the following:
System startup and system shutdown
Login and logout
Process creation or process destruction, or thread creation or thread destruction
Opening, closing, creating, destroying, or renaming of objects
Use of privilege capabilities or role-based access control (RBAC)
Identification actions and authentication actions
Permission changes by a process or user
Administrative actions, such as installing a package
Audit records are generated from three sources:
Once the relevant event information has been captured, the information is formatted into
an audit record. The record is then written to audit files. Complete audit
records are stored in binary format. With the Solaris 10 release, audit records
can also be logged by the syslog utility.
Audit files that are stored in binary format can be stored in a
local partition. The files can also be stored on NFS-mounted file servers. The
location can include multiple partitions on the same system, partitions on different systems,
or partitions on systems on different but linked networks. The collection of audit
files that are linked together is considered an audit trail. Audit records accumulate in audit
files chronologically. Contained in each audit record is information that identifies the event,
what caused the event, the time of the event, and other relevant information.
Audit records can also be monitored by using the syslog utility. These audit
logs can be stored locally. Or, the logs can be sent to
a remote system over the UDP protocol. For more information, see Audit Files.