Software >> OS >> Unix >> Solaris >> 10 >> Auditing >> How to confirm that auditing is enabled

Verify that the c2audit kernel module is loaded.

# modinfo | grep c2audit

No listing indicates that auditing is not running. The following listing indicates that auditing is running:

40  132ce90  14230 186   1  c2audit (C2 system call)

Verify that the audit daemon is running.

Verify the status of the auditd service. The following listing indicates that auditing is not running:

# svcs -x auditd
svc:/system/auditd:default (Solaris audit daemon)
 State: disabled since Fri Aug 14 19:02:35 2009
Reason: Disabled by an administrator.
   See: http://sun.com/msg/SMF-8000-05
   See: auditd(1M)
   See: audit(1M)
Impact: This service is not running.

The following listing indicates that the audit service is running:

# svcs auditd
STATE          STIME    FMRI
online         10:10:10 svc:/system/auditd:default

The following listing indicates that auditing is not running:

# auditconfig -getcond
auditconfig: auditon(2) failed.
auditconfig: error = Operation not supported(48)

The following listing indicates that auditing is running:

# auditconfig -getcond
audit condition = auditing

References

[1] http://docs.oracle.com/cd/E19253-01/816-4557/audittask-86/index.html