Configuring and Enabling the Audit Service (Tasks)

After the configuration files have been set up for your site, you need to set up disk space for your audit files. You also need to set up other attributes of the audit service, and then enable the service. This section also contains procedures to refresh the audit service when you change configuration settings.

When a non-global zone is installed, you can choose to audit the zone exactly as the global zone is being audited. Alternatively, to audit the non-global zone individually, you can modify the audit configuration files in the non-global zone. To customize audit configuration files, see Configuring Audit Files (Task Map).

How to Create Partitions for Audit Files

The following procedure shows how to create partitions for audit files, as well as the corresponding file systems and directories. Skip steps as necessary, depending on if you already have an empty partition, or if you have already mounted an empty file system.

1. Assume the Primary Administrator role, or become superuser.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. Determine the amount of disk space that is required.

   Assign at least 200 Mbytes of disk space per host. However, how much auditing you require dictates the disk space requirements. So, your disk space requirements might be far greater than this figure. Remember to include a local partition for a directory of last resort.

3. Create a storage pool and a mirror.

   For more information, see What Is ZFS? in Solaris ZFS Administration Guide.

   # zpool create audit-pool mirror slice1 slice2

   For example, create the auditf pool from two slices, and mirror them:

   # zpool create auditf mirror c0t4d0 c0t5d0

   If the local host is to be audited, also create an audit directory of last resort for the local host.

4. Create a mount point for the audit files.

   # zpool create -o mountpoint=/mountpoint /audit-pool/mountpoint

   For example, create the /audit mount point:

   # zfs create -o mountpoint=/audit auditf/audit

5. Create audit directories for every set of audit files that is going to be mounted.

   # zfs create auditf/audit/machine1 # zfs create auditf/audit/machine1/files # zfs create auditf/audit/machine2 # zfs create auditf/audit/machine2/files

   For example, create directories for the noddy and blinken systems:

   # zfs create auditf/audit/noddy # zfs create auditf/audit/noddy/files # zfs create auditf/audit/blinken # zfs create auditf/audit/blinken/files

6. Protect the mount points.

   The following ZFS properties are set to off:

   # zfs set devices=off auditf/audit # zfs set exec=off auditf/audit # zfs set setuid=off auditf/audit

7. On a file server, define the file systems to be made available to other hosts.

   # zfs set sharenfs=on audit-pool/mountpoint

   For example, share the audit pool directory:

   # zfs set sharenfs=on auditf/audit

   As a result of sharing the auditf/audit directory, the following directories are shared:

   /audit/noddy /audit/noddy/files /audit/blinken /audit/blinken/files

8. (Optional) Remove the minimum free space threshold on the audit pool.

   If you use the default configuration, a warning is generated when the directory is 80 percent full. The warning removes the reason to reserve free space on the audit pool.

   # tunefs -m 0 /auditf/audit

   For example, tune the audit pool directory:

   # tunefs -m 0 auditf/audit

9. On a file server, restart the NFS service.

   If this command is the first share command or set of share commands that you have initiated, the NFS daemons might not be running.

   • If the NFS service is offline, enable the service.

     % svcs \*nfs\* disabled Nov_02 svc:/network/nfs/rquota:default offline Nov_02 svc:/network/nfs/server:default # svcadm enable network/nfs/server

   • If the NFS service is running, restart the service.

     % svcs \*nfs\* online Nov_02 svc:/network/nfs/client:default online Nov_02 svc:/network/nfs/server:default # svcadm restart network/nfs/server

   For more information about the NFS service, refer to Setting Up NFS Services in System Administration Guide: Network Services. For information on managing persistent services, see Chapter 16, Managing Services (Overview), in System Administration Guide: Basic Administration and the smf(5) man page.

How to Configure the audit_warn Email Alias

The audit_warn script generates mail to an email alias that is called audit_warn. To send this mail to a valid email address, you can follow one of the options that are described in Step 2:

1. Assume the Primary Administrator role, or become superuser.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. Configure the audit_warn email alias.

   Choose one of the following options:

   • OPTION 1 – Replace the audit_warn email alias with another email account in the audit_warn script.

     Change the email alias in the following line of the script:

     ADDRESS=audit_warn # standard alias for audit alerts

   • OPTION 2 – Redirect the audit_warn email to another mail account.

     In this case, you would add the audit_warn email alias to the appropriate mail aliases file. You could add the alias to the local /etc/mail/aliases file or to the mail_aliases database in the name space. The new entry would resemble the following if the root mail account was made a member of the audit_warn email alias:

     audit_warn: root

How to Configure Audit Policy

Audit policy determines the characteristics of the audit records for the local host. When auditing is enabled, the policies that you set by using the auditconfig -setpolicy command determine the audit policy.

You can inspect and change the current audit policy options with the auditconfig command. This command can set a temporary, or active policy. An active policy is a policy that is currently used by the kernel. This command also sets persistent policy, or configured policy. Configured policy is the policy that is restored when you restart the audit service.

1. Assume a role that includes the Audit Control profile, or become superuser.

   To create a role that includes the Audit Control profile and to assign the role to a user, see Configuring RBAC (Task Map).

2. Review the audit policy.

   To view the settings, use the auditconfig -getpolicy command:

   $ auditconfig -getpolicy

3. View the available policy options.

   $ auditconfig -lspolicy

   ---

   Note –

   The perzone and ahlt policy options can be set only in the global zone.

   ---

4. Enable or disable selected audit policy options.

   # auditconfig [ -t ] -setpolicy prefixpolicy

   -t

   Optional. Creates a temporary, or active, policy. The policy setting is not restored when you restart the audit service.

   prefix

   A prefix value of + enables the policy option. A prefix value of - disables the policy option.

   policy

   Selects the policy to be enabled or to be disabled.

   A temporary (-t) policy is in effect until the the audit service is restarted, or until the policy is modified by the auditconfig -setpolicy command. Without the -t option, the policy setting persists across restarts of the audit service.

   For a description of each policy option, see Determining Audit Policy.

Example 30–13 Setting the cnt and ahlt Audit Policy Options

In this example, the cnt policy is disabled, and the ahlt policy is enabled. With these settings, system use is halted when the audit partitions are full and an asynchronous event occurs. When a synchronous event occurs, the process that created the thread hangs. These settings are appropriate when security is more important than availability.

The following auditconfig policy commands disable the cnt policy option and enable the ahlt policy option:

# auditconfig -setpolicy -cnt
# auditconfig -setpolicy +ahlt

These settings persist until you change them.

Example 30–14 Setting an Audit Policy Temporarily

In this example, the audit service is running and the ahlt audit policy is configured. The administrator adds the seq audit policy to the active policy, but does not configure the audit service to use the seq audit policy permanently. The seq policy is useful for debugging the audit service when audit records are corrupted, or when records are being dropped.

The + prefix adds the seq option to the audit policy, rather than replaces the current audit policy with seq. The -t option makes the policy active in the kernel.

$ auditconfig -setpolicy none
$ auditconfig -getpolicy
  configured audit policies = none
  active audit policies = none
$ auditconfig -setpolicy ahlt
$ auditconfig -getpolicy
  configured audit policies = ahlt
  active audit policies = ahlt
$ auditconfig -t -setpolicy +seq
  configured audit policies = ahlt,seq
  active audit policies = ahlt,seq

The administrator unsets the seq policy when the debugging is completed:

$ auditconfig -setpolicy -seq
$ auditconfig -getpolicy
  configured audit policies = ahlt
  active audit policies = ahlt

Example 30–15 Setting the perzone Audit Policy

In this example, the perzone audit policy is set in the global zone. When a zone boots, the non-global zone collects audit records according to the audit configuration settings in its zone. The perzone policy setting is stored as a property of the audit service, so it is in effect during the session and when the audit service is restarted.

$ auditconfig -setpolicy none
$ auditconfig -getpolicy
  configured audit policies = none
  active audit policies = none
$ auditconfig -setpolicy +perzone
$ auditconfig -getpolicy
  configured audit policies = perzone
  active audit policies = perzone

How to Configure Audit Queue Parameters

The audit service provides default values for audit queue parameters. You can inspect and set these values with the auditconfig command.

The auditconfig command can set a temporary, or active, value. This value is used by the kernel, but it is not set as a property of the audit service. This command also sets persistent, or configured, values. Configured values are the values that are restored when you restart the audit service.

1. Assume a role that includes the Audit Control profile, or become superuser.

   To create a role that includes the Audit Control profile and to assign the role to a user, see Configuring RBAC (Task Map).

2. Review the audit queue parameter values.

   To view the values, use the auditconfig -getqctrl command.

   $ auditconfig -getqctrl no configured audit queue lowater mark no configured ...

   The string no configured indicates that the system is using the default settings. For a description of the audit queue parameters, see the auditconfig(1M) man page.

3. Modify selected audit queue parameters.

   • To modify all audit queue parameters, use the -setqctrl option.

     # auditconfig [ -t ]-setqctrl hiwater lowater bufsz interval

   • To modify a specific audit queue parameter, use the specific option, one of -setqbufsz, -setqdelay, -setqlowater, and -setqhiwater.

     # auditconfig [ -t ]-setq* value

   -t

   Optional. Sets a temporary, or active, value. This value is not set as a property value of the audit service.

   hiwater ...

   Are audit queue parameters.

   value

   Is a value for the audit queue parameter.

   A temporary (-t) or active value is in effect until the audit service is restarted, or until the value is modified by the auditconfig [-t] -setq* command. Without the -t option, the queue parameter value is stored as a property value of the audit service.

Example 30–16 Configuring Audit Queue Parameters

In this example, the administrator configures the audit queue's write buffer size and wakeup interval. The administrator tunes these parameters differently in the active configuration by using the -t option.

# auditconfig -getqctrl
  no configured audit queue hiwater mark
  no configured audit queue lowater mark
  no configured audit queue buffer size
  no configured audit queue delay
  active audit queue hiwater mark (records) = 110
  active audit queue lowater mark (records) = 30
  active audit queue buffer size (bytes) = 8192
  active audit queue delay (ticks) = 20
# auditconfig -setqbufsz 8192
# auditconfig -setqdelay 20
# auditconfig -t -setqbufsz 12288
# auditconfig -t -setqdelay 25
# auditconfig -getqctrl
  no configured audit queue lowater mark
  no configured audit queue hiwater mark
  configured audit queue buffer size (bytes) = 8192
  configured audit queue delay (ticks) = 20
  active audit queue hiwater mark (records) = 100
  active audit queue lowater mark (records) = 10
  active audit queue buffer size (bytes) = 12288
  active audit queue delay (ticks) = 25

The administrator resets the parameters to their default values by setting them to zero.

auditconfig -setqbufsz 0
  auditon(2) failed.
  error: Invalid argument(22)
# auditconfig -setqdelay 0
  auditon(2) failed.
  error: Invalid argument(22)
# auditconfig -getqctrl
  no configured audit queue hiwater mark
  no configured audit queue lowater mark
  no configured audit queue buffer size
  no configured audit queue delay
  active audit queue hiwater mark (records) = 110
  active audit queue lowater mark (records) = 30
  active audit queue buffer size (bytes) = 12288
  active audit queue delay (ticks) = 25

How to Enable the Audit Service

This procedure enables the audit service for all zones. To start the audit daemon in a non-global zone, see Example 30–17.

When auditing is configured securely, the system is in single-user mode until auditing is enabled. You can also enable auditing in multiuser mode.

Before You Begin

You should perform this procedure as superuser after completing the following tasks:

• Planning – Planning Solaris Auditing (Task Map)

• Customizing audit files – Configuring Audit Files (Task Map)

• Setting up audit partitions – How to Create Partitions for Audit Files

• Setting up audit warning messages – How to Configure the audit_warn Email Alias

• Setting audit policy – How to Configure Audit Policy

1. Run the script that enables the audit service.

   Go to the /etc/security directory, and execute the bsmconv script there.

   # cd /etc/security # ./bsmconv This script is used to enable the Basic Security Module (BSM). Shall we continue with the conversion now? [y/n] y bsmconv: INFO: checking startup file. bsmconv: INFO: turning on audit module. bsmconv: INFO: initializing device allocation. The Basic Security Module is ready. If there were any errors, please fix them now. Configure BSM by editing files located in /etc/security. Reboot this system now to come up with BSM enabled.

   For the effects of the script, see the bsmconv(1M) man page.

2. Reboot the system.

   # reboot

   The auditd daemon starts the audit service when the system enters multiuser mode. The FMRI for the audit service is svc:/system/auditd:default.

   Another effect of the script is to turn on device allocation. To configure device allocation, see Managing Device Allocation (Task Map).

Example 30–17 Enabling Auditing in a Non-Global Zone

In the following example, the global zone administrator turned on perzone policy after auditing was enabled in the global zone and after the non-global zone had booted. The zone administrator of the non-global zone has configured the audit files for the zone, and then starts the audit daemon in the zone.

zone1# svcadm enable svc:/system/auditd

How to Disable the Audit Service

If the audit service is no longer required at some point, this procedure returns the system to the system state before auditing was enabled. If non-global zones are being audited, their audit service is also disabled.

This command also disables device allocation. Do not run this command if you want to be able to allocate devices. To disable auditing and retain device allocation, see Example 30–18.

1. Become superuser and bring the system into single-user mode.

   % su Password: <Type root password> # init S

   For more information, see the init(1M) man page.

2. Run the script to disable auditing.

   Change to the /etc/security directory, and execute the bsmunconv script.

   # cd /etc/security # ./bsmunconv

   Another effect of the script is to disable device allocation.

   For information on the full effect of the bsmunconv script, see the bsmconv(1M) man page.

3. Bring the system into multiuser mode.

   # init 6

Example 30–18 Disabling Auditing and Keeping Device Allocation

In this example, the audit service stops collecting records, but device allocation continues to work. All values from the flags, naflags, and plugin entries in the audit_control file are removed, as are all user entries in the audit_user file.

## audit_control file
flags:
naflags:

## audit_user file

The auditd daemon runs, but no audit records are kept.

Example 30–19 Disabling Auditing on a Per-Zone Basis

In this example, the audit service stops running in zone1 where the audit service is disabled. Device allocation continues to work. When this command is run in the global zone, and the perzone audit policy is not set, auditing is disabled for all zones, not just the global zone.

zone1 # audit -t

How to Update the Audit Service

This procedure restarts the auditd daemon when you have made changes to audit configuration files after the daemon has been running.

1. Assume a role that includes the Audit Control rights profile, or become superuser.

   To create a role that includes the Audit Control rights profile and assign the role to a user, see Configuring RBAC (Task Map).

2. Choose the appropriate command.

   • If you modify the naflags line in the audit_control file, change the kernel mask for nonattributable events.

     $ /usr/sbin/auditconfig -aconf

     You can also reboot.

   • If you modify other lines in the audit_control file, reread the audit_control file.

     The audit daemon stores information from the audit_control file internally. To use the new information, either reboot the system or instruct the audit daemon to read the modified file.

     $ /usr/sbin/audit -s

     ---

     Note –

     Audit records are generated based on the audit preselection mask that is associated with each process. Executing audit -s does not change the masks in existing processes. To change the preselection mask for an existing process, you must restart the process. You can also reboot.

     ---

     The audit -s command causes the audit daemon to re-read the directory and minfree values from the audit_control file. The command changes the generation of the preselection mask for processes spawned by subsequent logins.

   • If you modify the audit_event file or the audit_class file while the audit daemon is running, refresh the audit service.

     Read the modified event-class mappings into the system, and ensure that each user who uses the machine is correctly audited.

     $ auditconfig -conf $ auditconfig -setumask auid classes

     auid

     Is the user ID.

     classes

     Are the preselected audit classes.

     For an example, see How to Modify a User's Preselection Mask.

Example 30–20 Restarting the Audit Daemon

In this example, the system is brought down to single-user mode, then back up to multiuser mode. When the system is brought into multiuser mode, modified audit configuration files are read into the system.

# init S
# init 6