Auditing and Solaris Zones
Non-global zones can be audited exactly as the global zone is audited, or
nonglobal zones can set their own flags, storage, and audit policy.
When all zones are being audited identically, the configuration files in the global
zone provide the settings for auditing in every zone. The +zonename policy
option is useful. When this option is set, the audit records from all
zones include the name of the zone. Audit records can then be postselected
by zone name. To understand audit policy, see Determining Audit Policy. For an example, see How to Configure Audit Policy.
Zones can also be audited individually. When the policy option, perzone, is
set in the global zone, each non-global zone runs its own audit daemon,
handles its own audit queue, and specifies the content and location of its
audit records. A non-global zone can also set most audit policy options. It
cannot set policy that affects the entire system, so a non-global zone cannot
set the ahlt or perzone policy. For further discussion, see Auditing on a System With Zones and How to Plan Auditing in Zones.
To learn about zones, see Part II, Zones, in System Administration Guide: Virtualization Using the Solaris Operating System.