Randy,
> I'm wondering what Solaris auditing enhancements (if any) might come to=20
> improve granularity.
Thank you for your considered input. I'm presently going to be
brief as I'm on a dialup with 26.4 as the best speed I can get from
the local connection. I'll reply to individual points later if I've
missed something.
Sun is aware that it is possible to select too much audit when auditing
for file events. An audit policy can be set on a per-system (zone)
basis to reduce this. See auditconfig(1M) setpolicy public:
"Audit public files. By default, read-type operations are not audited
for certain file operations which meet public characteristics:
owned by root, readable by all, and not writable by all."
Relative to audit selection on a per-user/per-file basis. With
the introduction of ZFS in an upcoming Solaris release, the
infrastructure will be there for the Audit project team to go
forward with such an implementation. The greater challenge to
doing this is the administrator interface to make this addition
understandable (though you might say that all of audit is not
understandable).
Relative to zones. See the perzone policy in auditconfig().
In the current release, see the public policy. It may provide enough
noise reduction. And thanks for your input.
Gary..
