How Does Auditing Work?
Auditing generates audit records when specified events occur. Most commonly, events that generate audit records include the following: • System startup and system shutdown • Login and logout • Process creation or process destruction, or thread creation or thread destruction • Opening, closing, creating, destroying, or renaming of objects • Use of privilege capabilities or role-based access control (RBAC) • Identification actions and authentication actions • Permission changes by a process or user • Administrative actions, such as installing a package • Site-specific applications Audit records are generated from three sources: • By an application • As a result of an asynchronous audit event • As a result of a process system call Once the relevant event information has been captured, the information is formatted into an audit record. The record is then written to audit files. Complete audit records are stored in binary format. With the Solaris 10 release, audit records can also be logged
