How Is Auditing Related to Security?
Solaris auditing helps to detect potential security breaches by revealing suspicious or abnormal
patterns of system usage. Solaris auditing also provides a means to trace suspect
actions back to a particular user, thus serving as a deterrent. Users who
know that their activities are being audited are less likely to attempt malicious
activities.
To protect a computer system, especially a system on a network, requires mechanisms
that control activities before system processes or user processes begin. Security requires tools
that monitor activities as the activities occur. Security also requires reports of activities
after the activities have happened. Initial configuration of Solaris auditing requires that parameters
be set before users log in or system processes begin. Most auditing activities
involve monitoring current events and reporting those events that meet the specified parameters. How
Solaris auditing monitors and reports these events is discussed in detail in Chapter 29, Planning for Solaris Auditing
and Chapter 30, Managing Solaris Auditing (Tasks).
Auditing cannot prevent hackers from unauthorized entry. However, the auditing service can report,
for example, that a specific user performed specific actions at a specific time
and date. The audit report can identify the user by entry path and
user name. Such information can be reported immediately to your terminal and to
a file for later analysis. Thus, the auditing service provides data that helps
you determine the following:
