Auditing is now enabled by default in Solaris 11. Previously, enabling auditing required running the
bsmconv
tool, and then rebooting. Now, however, it is an SMF service, svc://system/auditd:default
, and can be enabled and disabled without rebooting. Additional good news is that there have been some internal performance optimizations for auditing as well.
Audit changes now must be done only through auditconfig
. It is no longer possible to edit the old plaintext file /etc/security/audit_startup
.
As usual for the audit daemon, logs are stored by default in the /var/audit
directory. It is possible for each zone to have its own audit logs, or for the global zone to be responsible for everything. See the Audit policies section of this chapter for more details.