Regularly scheduled audits of network defense should occur, especially with regard to safeguarding assets against techniques used by intruders and analyzing post intrusion. An effective security implementation comprises several life-cycle components, including security policies, perimeter defenses, and disaster recovery plans, to name a few. Event auditing can be a valuable tool for security forensics, real-time event monitoring, and tracing potential attackers. In this chapter, we'll talk about the components involved in Solaris auditing, steps to take to configure the components, and how to analyze the data in an audit trail.
Before we begin, it's important to note that Solaris auditing, especially with the new Solaris 10 kernel, is such a complex subsystem that an entire book would be necessary to cover all of its features and customizations. In this chapter, we'll cover only the material required by the exam.