1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Controlling Access to Devices (Tasks)
5. Using the Basic Audit Reporting Tool (Tasks)
6. Controlling Access to Files (Tasks)
7. Using the Automated Security Enhancement Tool (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Part IV Oracle Solaris Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
19. Using Solaris Secure Shell (Tasks)
20. Solaris Secure Shell (Reference)
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Oracle Solaris Auditing
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Solaris Auditing (Tasks)
Configuring Audit Files (Task Map)
Configuring Audit Files (Tasks)
How to Modify the audit_control File
How to Configure syslog Audit Logs
How to Change a User's Audit Characteristics
How to Change an Audit Event's Class Membership
Configuring and Enabling the Audit Service (Task Map)
Configuring and Enabling the Audit Service (Tasks)
How to Create Partitions for Audit Files
How to Configure the audit_warn Email Alias
How to Enable the Audit Service
Configuring the Audit Service in Zones (Tasks)
How to Configure All Zones Identically for Auditing
How to Configure Per-Zone Auditing
Managing Audit Records (Task Map)
How to Display Audit Record Formats
How to Merge Audit Files From the Audit Trail
How to Select Audit Events From the Audit Trail
How to View the Contents of Binary Audit Files
How to Clean Up a not_terminated Audit File
How to Prevent Audit Trail Overflow
Troubleshooting Solaris Auditing (Tasks)
Troubleshooting Solaris Auditing (Task Map)
How to Determine That Solaris Auditing Is Running
How to Lessen the Volume of Audit Records That Are Produced
How to Audit All Commands by Users
How to Find Audit Records of Changes to Specific Files
How to Modify a User's Preselection Mask
How to Prevent the Auditing of Certain Events
How to Limit the Size of Binary Audit Files
How to Audit Logins From Other OSes
How to Audit FTP and SFTP File Transfers
After the configuration files have been set up for your site, you need to set up disk space for your audit files. You also need to set up other attributes of the audit service, and then enable the service. This section also contains procedures to refresh the audit service when you change configuration settings.
When a non-global zone is installed, you can choose to audit the zone exactly as the global zone is being audited. Alternatively, to audit the non-global zone individually, you can modify the audit configuration files in the non-global zone. To customize audit configuration files, see Configuring Audit Files (Task Map).
The following procedure shows how to create partitions for audit files, as well as the corresponding file systems and directories. Skip steps as necessary, depending on if you already have an empty partition, or if you have already mounted an empty file system.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Assign at least 200 Mbytes of disk space per host. However, how much auditing you require dictates the disk space requirements. So, your disk space requirements might be far greater than this figure. Remember to include a local partition for a directory of last resort.
This step is most easily done during server installation. You can also create the partitions on disks that have not yet been mounted on the server. For complete instructions on how to create the partitions, see Chapter 11, Administering Disks (Tasks), in System Administration Guide: Devices and File Systems.
# newfs /dev/rdsk/cwtxdysz
where /dev/rdsk/cwtxdysz is the raw device name for the partition.
If the local host is to be audited, also create an audit directory of last resort for the local host.
# mkdir /var/audit/server-name.n
where server-name.n is the name of the server plus a number that identifies each partition. The number is optional, but the number is useful when there are many audit directories.
Add a line to the /etc/vfstab file that resembles the following:
/dev/dsk/cwtxdysz /dev/rdsk/cwtxdysz /var/audit/server-name.n ufs 2 yes
If you use the default configuration, a warning is generated when the directory is 80 percent full. The warning removes the reason to reserve free space on the partition.
# tunefs -m 0 /var/audit/server-name.n
# mount /var/audit/server-name.n
# mkdir /var/audit/server-name.n/files
# chmod -R 750 /var/audit/server-name.n/files
Often, disk farms are installed to store the audit records. If an audit directory is to be used by several systems, then the directory must be shared through the NFS service. Add an entry that resembles the following for each directory to the /etc/dfs/dfstab file:
share -F nfs /var/audit/server-name.n/files
If this command is the first share command or set of share commands that you have initiated, the NFS daemons might not be running.
% svcs \*nfs\* disabled Nov_02 svc:/network/nfs/rquota:default offline Nov_02 svc:/network/nfs/server:default # svcadm enable network/nfs/server
% svcs \*nfs\* online Nov_02 svc:/network/nfs/client:default online Nov_02 svc:/network/nfs/server:default # svcadm restart network/nfs/server
For more information about the NFS service, refer to Setting Up NFS Services in System Administration Guide: Network Services. For information on managing persistent services, see Chapter 18, Managing Services (Overview), in System Administration Guide: Basic Administration and the smf(5) man page.
Example 30-13 Creating an Audit Directory of Last Resort
All systems that run the auditing service should have a local file system that can be used if no other file system is available. In this example, a file system is being added to a system that is named egret. Because this file system is only used locally, none of the steps for a file server are necessary.
# newfs /dev/rdsk/c0t2d0 # mkdir /var/audit/egret # grep egret /etc/vfstab /dev/dsk/c0t2d0s1 /dev/rdsk/c0t2d0s1 /var/audit/egret ufs 2 yes - # tunefs -m 0 /var/audit/egret # mount /var/audit/egret # mkdir /var/audit/egret/files # chmod -R 750 /var/audit/egret/files
Example 30-14 Creating New Audit Partitions
In this example, a new file system is created on two new disks that are to be used by other systems in the network.
# newfs /dev/rdsk/c0t2d0 # newfs /dev/rdsk/c0t2d1 # mkdir /var/audit/egret.1 # mkdir /var/audit/egret.2 # grep egret /etc/vfstab /dev/dsk/c0t2d0s1 /dev/rdsk/c0t2d0s1 /var/audit/egret.1 ufs 2 yes - /dev/dsk/c0t2d1s1 /dev/rdsk/c0t2d1s1 /var/audit/egret.2 ufs 2 yes - # tunefs -m 0 /var/audit/egret.1 # tunefs -m 0 /var/audit/egret.2 # mount /var/audit/egret.1 # mount /var/audit/egret.2 # mkdir /var/audit/egret.1/files # mkdir /var/audit/egret.2/files # chmod -R 750 /var/audit/egret.1/files /var/audit/egret.2/files # grep egret /etc/dfs/dfstab share -F nfs /var/audit/egret.1/files share -F nfs /var/audit/egret.2/files # svcadm enable network/nfs/server
Example 30-15 Creating ZFS Audit Partitions
In this example, the administrator runs the script command after the ZFS audit partitions are created. The following is the output of the command:
# zpool create auditf mirror c0t4d0 c0t5d0 # zfs create -o mountpoint=/audit auditf/audit # zfs create auditf/audit/noddy # zfs create auditf/audit/noddy/files # zfs create auditf/audit/blinken # zfs create auditf/audit/blinken/files # zfs set devices=off auditf/audit # zfs set exec=off auditf/audit # zfs set setuid=off auditf/audit # zfs set sharenfs=on auditf/audit # share - /audit/blinken/files rw "" - /audit/noddy rw "" - /audit/blinken rw "" - /audit/noddy/files rw "" - /audit rw "" # ^D script done on Fri Apr 10 10:10:20 2009
The administrator then views the mounts from the remote system, remotesys.
# dfshares remotesys RESOURCE SERVER ACCESS TRANSPORT remotesys:/audit/blinken/files remotesys - - remotesys:/audit/noddy remotesys - - remotesys:/audit/blinken remotesys - - remotesys:/audit/noddy/files remotesys - - remotesys:/audit remotesys - -
Finally, the administrator mounts the /audit file system on /var/audit.
# mount remotesys:/audit /var/audit # ls /var/audit blinken noddy
The audit_warn script generates mail to an email alias that is called audit_warn. To send this mail to a valid email address, you can follow one of the options that are described in Step 2:
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Choose one of the following options:
OPTION 1 – Replace the audit_warn email alias with another email account in the audit_warn script.
Change the email alias in the following line of the script:
ADDRESS=audit_warn # standard alias for audit alerts
OPTION 2 – Redirect the audit_warn email to another mail account.
In this case, you would add the audit_warn email alias to the appropriate mail aliases file. You could add the alias to the local /etc/mail/aliases file or to the mail_aliases database in the name space. The new entry would resemble the following if the root mail account was made a member of the audit_warn email alias:
audit_warn: root
Audit policy determines the characteristics of the audit records for the local host. When auditing is enabled, the contents of the /etc/security/audit_startup file determine the audit policy.
You can inspect and change the current audit policy options with the auditconfig command. You can also modify the policy options to the auditconfig command in the audit_startup script to make permanent audit policy changes.
To create a role that includes the Audit Control profile and to assign the role to a user, see Configuring RBAC (Task Map).
Before auditing is enabled, the contents of the audit_startup file determine the audit policy:
#! /bin/sh ... /usr/bin/echo "Starting BSM services." /usr/sbin/auditconfig -setpolicy +cnt Counts rather than drops records /usr/sbin/auditconfig -conf Configures event-class mappings /usr/sbin/auditconfig -aconf Configures nonattributable events
$ auditconfig -lspolicy
Note - The perzone and ahlt policy options can be set only in the global zone.
# auditconfig -setpolicy prefixpolicy
A prefix value of + enables the policy option. A prefix value of - disables the policy option.
Selects the policy to be enabled or to be disabled.
The policy is in effect until the next boot or until the policy is modified by the auditconfig -setpolicy command.
For a description of each policy option, see Determining Audit Policy.
Example 30-16 Setting the cnt and ahlt Audit Policy Options
In this example, the cnt policy is disabled, and the ahlt policy is enabled. With these settings, system use is halted when the audit partitions are full and an asynchronous event occurs. When a synchronous event occurs, the process that created the thread hangs. These settings are appropriate when security is more important than availability.
The following audit_startup entries disable the cnt policy option and enable the ahlt policy option across reboots:
# cat /etc/security/audit_startup #!/bin/sh /usr/bin/echo "Starting BSM services." /usr/sbin/deallocate -Is /usr/sbin/auditconfig -conf /usr/sbin/auditconfig -aconf /usr/sbin/auditconfig -setpolicy -cnt /usr/sbin/auditconfig -setpolicy +ahlt
Example 30-17 Setting the seq Audit Policy Temporarily
In this example, the auditd daemon is running and the ahlt audit policy has been set. The seq audit policy is added to the current policy. The seq policy adds a sequence token to every audit record. This is useful for debugging the auditing service when audit records are corrupted, or when records are being dropped.
The + prefix adds the seq option to the audit policy, rather than replaces the current audit policy with seq. The auditconfig command puts the policy in effect until the next invocation of the command, or until the next boot.
$ auditconfig -setpolicy +seq $ auditconfig -getpolicy audit policies = ahlt,seq
Example 30-18 Setting the perzone Audit Policy
In this example, the perzone audit policy is set in the audit_startup script in the global zone. When a zone boots, the non-global zone collects audit records according to the audit configuration settings in its zone.
$ cat /etc/security/audit_startup #!/bin/sh /usr/bin/echo "Starting BSM services." /usr/sbin/deallocate -Is /usr/sbin/auditconfig -conf /usr/sbin/auditconfig -aconf /usr/sbin/auditconfig -setpolicy +perzone /usr/sbin/auditconfig -setpolicy +cnt
Example 30-19 Changing an Audit Policy
In this example, the audit daemon is running and audit policy has been set. The auditconfig command changes the ahlt and cnt policies for the duration of the session. With these settings, audit records are dropped, but counted, when the audit file system is full. For restrictions on setting the ahlt policy, see Step 3.
$ auditconfig -setpolicy +cnt $ auditconfig -setpolicy -ahlt $ auditconfig -getpolicy audit policies = cnt,seq
When the changes are put in the audit_startup file, the policies are permanently in effect:
$ cat /etc/security/audit_startup #!/bin/sh /usr/bin/echo "Starting BSM services." /usr/sbin/deallocate -Is /usr/sbin/auditconfig -conf /usr/sbin/auditconfig -aconf /usr/sbin/auditconfig -setpolicy +cnt
The -ahlt option does not have to be specified in the file, because the ahlt policy option is disabled by default. This setting is appropriate when availability is more important than the security that audit records provide.
This procedure enables the audit service for all zones. To start the audit daemon in a non-global zone, see Example 30-20.
When auditing is configured securely, the system is in single-user mode until auditing is enabled. You can also enable auditing in multiuser mode.
You should perform this procedure as superuser after completing the following tasks:
Planning – Planning Oracle Solaris Auditing (Task Map)
Customizing audit files – Configuring Audit Files (Task Map)
Setting up audit partitions – How to Create Partitions for Audit Files
Setting up audit warning messages – How to Configure the audit_warn Email Alias
Setting audit policy – How to Configure Audit Policy
Note - Host name translation must be working correctly for auditing to function. The hosts database in the naming services must be correctly configured and functioning.
For configuration of the hosts database, see the nsswitch.conf(4) and netconfig(4) man pages. For additional information, see the System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) or the System Administration Guide: Naming and Directory Services (NIS+).
Go to the /etc/security directory, and execute the bsmconv script there.
# cd /etc/security # ./bsmconv This script is used to enable the Basic Security Module (BSM). Shall we continue with the conversion now? [y/n] y bsmconv: INFO: checking startup file. bsmconv: INFO: turning on audit module. bsmconv: INFO: initializing device allocation. The Basic Security Module is ready. If there were any errors, please fix them now. Configure BSM by editing files located in /etc/security. Reboot this system now to come up with BSM enabled.
For the effects of the script, see the bsmconv(1M) man page.
# reboot
The startup file /etc/security/audit_startup causes the auditd daemon to run automatically when the system enters multiuser mode.
Another effect of the script is to turn on device allocation. To configure device allocation, see Managing Device Allocation (Task Map).
Example 30-20 Enabling Auditing in a Non-Global Zone
In the following example, the global zone administrator turned on perzone policy after auditing was enabled in the global zone and after the non-global zone had booted. The zone administrator of the non-global zone has configured the audit files for the zone, and then starts the audit daemon in the zone.
zone1# svcadm enable svc:/system/auditd
If the audit service is no longer required at some point, this procedure returns the system to the system state before auditing was enabled. If non-global zones are being audited, their audit service is also disabled.
Caution - This command also disables device allocation. Do not run this command if you want to be able to allocate devices. To disable auditing and retain device allocation, see Example 30-21. |
% su Password: <Type root password> # init S
For more information, see the init(1M) man page.
Change to the /etc/security directory, and execute the bsmunconv script.
# cd /etc/security # ./bsmunconv
Another effect of the script is to disable device allocation.
For information on the full effect of the bsmunconv script, see the bsmconv(1M) man page.
# init 6
Example 30-21 Disabling Auditing and Keeping Device Allocation
In this example, the audit service stops collecting records, but device allocation continues to work. All values from the flags, naflags, and plugin entries in the audit_control file are removed, as are all user entries in the audit_user file.
## audit_control file flags: naflags: ## audit_user file
The auditd daemon runs, but no audit records are kept.
Example 30-22 Disabling Auditing on a Per-Zone Basis
In this example, the audit service stops running in zone1 where the audit service is disabled. Device allocation continues to work. When this command is run in the global zone, and the perzone audit policy is not set, auditing is disabled for all zones, not just the global zone.
zone1 # audit -t
This procedure restarts the auditd daemon when you have made changes to audit configuration files after the daemon has been running.
To create a role that includes the Audit Control rights profile and assign the role to a user, see Configuring RBAC (Task Map).
$ /usr/sbin/auditconfig -aconf
You can also reboot.
The audit daemon stores information from the audit_control file internally. To use the new information, either reboot the system or instruct the audit daemon to read the modified file.
$ /usr/sbin/audit -s
Note - Audit records are generated based on the audit preselection mask that is associated with each process. Executing audit -s does not change the masks in existing processes. To change the preselection mask for an existing process, you must restart the process. You can also reboot.
The audit -s command causes the audit daemon to re-read the directory and minfree values from the audit_control file. The command changes the generation of the preselection mask for processes spawned by subsequent logins.
Read the modified event-class mappings into the system, and ensure that each user who uses the machine is correctly audited.
$ auditconfig -conf $ auditconfig -setumask auid classes
Is the user ID.
Are the preselected audit classes.
For an example, see How to Modify a User's Preselection Mask.
Example 30-23 Restarting the Audit Daemon
In this example, the system is brought down to single-user mode, then back up to multiuser mode. When the system is brought into multiuser mode, modified audit configuration files are read into the system.
# init S # init 6