System Administration Guide: Security Services
Previous Next

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Using the Basic Audit Reporting Tool (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Role-Based Access Control (Reference)

11.  Privileges (Tasks)

12.  Privileges (Reference)

Part IV Solaris Cryptographic Services

13.  Solaris Cryptographic Framework (Overview)

14.  Solaris Cryptographic Framework (Tasks)

15.  Solaris Key Management Framework

Part V Authentication Services and Secure Communication

16.  Using Authentication Services (Tasks)

17.  Using PAM

18.  Using SASL

19.  Using Solaris Secure Shell (Tasks)

20.  Solaris Secure Shell (Reference)

Part VI Kerberos Service

21.  Introduction to the Kerberos Service

22.  Planning for the Kerberos Service

23.  Configuring the Kerberos Service (Tasks)

24.  Kerberos Error Messages and Troubleshooting

25.  Administering Kerberos Principals and Policies (Tasks)

26.  Using Kerberos Applications (Tasks)

27.  The Kerberos Service (Reference)

Part VII Solaris Auditing

28.  Solaris Auditing (Overview)

What Is Auditing?

How Does Auditing Work?

How Is Auditing Related to Security?

Audit Terminology and Concepts

Auditing on a System With Zones

Solaris Auditing Enhancements in the Solaris 10 Release

29.  Planning for Solaris Auditing

30.  Managing Solaris Auditing (Tasks)

31.  Solaris Auditing (Reference)

Glossary

Index

How Does Auditing Work?

Auditing generates audit records when specified events occur. Most commonly, events that generate audit records include the following:

  • System startup and system shutdown

  • Login and logout

  • Process creation or process destruction, or thread creation or thread destruction

  • Opening, closing, creating, destroying, or renaming of objects

  • Use of privilege capabilities or role-based access control (RBAC)

  • Identification actions and authentication actions

  • Permission changes by a process or user

  • Administrative actions, such as installing a package

  • Site-specific applications

Audit records are generated from three sources:

  • By an application

  • As a result of an asynchronous event

  • As a result of a process system call

Once the relevant event information has been captured, the information is formatted into an audit record. The record is then written to audit files. Complete audit records are stored in binary format. With the Solaris 10 release, audit records can also be logged by the syslog utility.

Audit files that are stored in binary format can be stored in a local partition. The files can also be stored on NFS-mounted file servers. The location can include multiple partitions on the same system, partitions on different systems, or partitions on systems on different but linked networks. The collection of audit files that are linked together is considered an audit trail. Audit records accumulate in audit files chronologically. Contained in each audit record is information that identifies the event, what caused the event, the time of the event, and other relevant information.

Audit records can also be monitored by using the syslog utility. These audit logs can be stored locally. Or, the logs can be sent to a remote system over the UDP protocol. For more information, see Audit Files.
Previous Next