Prior to version 11, auditing in Solaris was not enabled by default, so a procedure involving a reboot is required. Starting with Solaris 11, auditing is enabled by default so the procedure is simpler.

Here’s the detailed procedure for each Solaris version:

SOLARIS 11

– TO ENABLE AUDIT

Auditing in Solaris 11 is enabled by default, this command only is needed in case the service has been manually disabled

# audit -s

– TO DISABLE AUDIT

# audit -t

SOLARIS 10 AND BELOW

– TO ENABLE AUDIT:

1. Bring the system to run level 1

# /usr/sbin/init 1

2. Execute bsmconv

# /etc/security/bsmconv
This script is used to enable the Basic Security Module (BSM).
Shall we continue with the conversion now? [y/n] y
bsmconv: INFO: checking startup file.
bsmconv: INFO: turning on audit module.
bsmconv: INFO: initializing device allocation.

The Basic Security Module is ready.
If there were any errors, please fix them now.
Configure BSM by editing files located in /etc/security.
Reboot this system now to come up with BSM enabled.

3. Customise your auditing options editing the appropriate configuration files under /etc/security

4. Reboot

# init 6

– TO DISABLE AUDIT

1. Bring the system to run level 1

# /usr/sbin/init 1

2. Execute bsmunconv

# /etc/security/bsmunconv

3. Reboot

# init 6

– TO VERIFY AUDIT IS RUNNING

Execute:

# auditconfig -getcond

and verify that audit condition = auditing appears in the output