The following procedures describe how to set up auditing for one or more systems.
During installation, the install team creates dedicated audit partition(s) when formatting the disks.
Use the naming convention /etc/security/audit/sytem_name(.n)
A diskfull computer should have at least one local audit directory, which it can use as a directory of last resort, if unable to communicate with the audit server.
See Audit Storage for an explanation of the naming convention.
On an audit file server, most partitions hold audit files, as is shown in the following example of the egret audit file server:
Disk |
Slice |
Mount point |
Size |
---|---|---|---|
c0t2d0 |
s0 |
/etc/security/audit/egret |
1.0 GB |
|
s1 |
/etc/security/audit/egret.1 |
.98 GB |
|
s2 |
entire disk |
1.98 GB |
c0t2d1 |
s0 |
/etc/security/audit/egret.2 |
502 MB |
|
s1 |
/etc/security/audit/egret.3 |
500 MB |
|
s2 |
entire disk |
1002 MB |
Another disk holds egret's / (root) and /swap partitions.
On a diskfull computer, including the audit administration server, at least one partition should be dedicated to local audit files, as is shown in the following example of the system willet:
Disk |
Slice |
Mount point |
Size (MB) |
---|---|---|---|
c0t3d0 |
s0 |
/ |
70 |
|
s1 |
swap |
180 |
|
s2 |
entire disk |
1002 |
|
s3 |
/usr |
350 |
|
s4 |
/etc/security/audit/willet |
202 |
|
s7 |
/export/home |
200 |
A rule of thumb is to assign 200 MB of space for each system. However, the disk space requirements at your site will be based on how much auditing you perform and may be far greater than this figure.
Fewer and large partitions are more efficient than more and smaller ones.
To add a disk to hold audit partitions after installing the system, see the Solaris 8 System Administration Guide, Volume II. To protect the disks with Trusted Solaris security attributes, see Trusted Solaris Administrator's Procedures.
Most commands for setting up auditing require the use of a profile shell, where commands can run with privilege. Auditing also requires the use of actions in the System_Admin folder and the Solaris Management Console action in the Application Manager.
Log in to the computer as yourself.
Enter your user name and press the Return key.
If the system is protected against anyone logging in, the Enable Logins dialog is displayed.
If you are authorized to enable logins, click the Yes button after Login:.
If you are not authorized to enable logins, ask the administrator to enable logins.
Enter your password and click OK.
You are presented with the message of the day and a label builder screen. In a single-label system, the screen describes your session label. In a multilabel system, it presents you with a label builder to choose your session clearance.
Accept the default unless you have a reason not to.
Press the Return key or click the OK button and be logged in.
Assume an administrative role that you have been assigned.
As role admin, at label admin_low
, unmount the audit partitions from the system by running the umount(1M)
command in a profile shell.
For example, on the audit file server egret:
egret$ umount /etc/security/audit/egret egret$ umount /etc/security/audit/egret.1 egret$ umount /etc/security/audit/egret.2 egret$ umount /etc/security/audit/egret.3 |
Reduce reserved filesystem space on each partition to 0% with the command tunefs -m 0.
The security administrator sets the reserved filesystem space (called the minfree limit) in the audit_control(4) file.
For example, on the audit file server egret:
egret$ tunefs -m 0 /etc/security/audit/egret egret$ tunefs -m 0 /etc/security/audit/egret.1 egret$ tunefs -m 0 /etc/security/audit/egret.2 egret$ tunefs -m 0 /etc/security/audit/egret.3 |
Similarly, on the system willet:
willet$ umount /etc/security/audit/willet willet$ tunefs -m 0 /etc/security/audit/willet |
See the tunefs(1M) man page for more information on the advantages and disadvantages of tuning a file system.
As role secadmin, at label admin_low
, set the appropriate file permissions on every audit file system while the file system is unmounted.
For example, on the audit file server egret:
egret$ chmod -R 750 /etc/security/audit/egret egret$ chmod -R 750 /etc/security/audit/egret.1 egret$ chmod -R 750 /etc/security/audit/egret.2 egret$ chmod -R 750 /etc/security/audit/egret.3 |
On the system willet:
willet$ chmod -R 750 /etc/security/audit/willet |
As role secadmin, at label admin_high
, set any Trusted Solaris security attribute defaults required by your site security policy on every audit file system while the file system is unmounted.
To run the command at the label admin_high
, you must create an admin_high
workspace. Follow the procedure in To Create an Admin_High Workspace.
For example, the following command on the audit file server egret should be repeated for all of its audit partitions:
egret$ setfsattr -s “[admin_high]” /etc/security/audit/egret |
On the system willet:
willet$ setfsattr -s “[admin_high]” /etc/security/audit/willet |
The -s option sets the partition's default sensitivity label for the audit files. See the setfsattr(1M) man page for more information.
The local audit file systems must already be in the host's /etc/vfstab file.
As admin, at label admin_high
, remount the local audit file systems.
Follow the procedure in To Create an Admin_High Workspace to get an admin_high
process.
For example, on the audit file server egret:
egret$ mount /etc/security/audit/egret egret$ mount /etc/security/audit/egret.1 egret$ mount /etc/security/audit/egret.2 egret$ mount /etc/security/audit/egret.3 |
Similarly, on the system willet:
willet$ mount /etc/security/audit/willet |
Create a directory named files at the top of each mounted audit partition.
For example, on the audit file server egret:
egret$ mkdir /etc/security/audit/egret/files egret$ mkdir /etc/security/audit/egret.1/files egret$ mkdir /etc/security/audit/egret.2/files egret$ mkdir /etc/security/audit/egret.3/files |
On the system willet:
willet$ mkdir /etc/security/audit/willet/files |
In the role admin at label admin_low
, open the Trusted Solaris Management Console, Scope=files toolbox.
Navigate to the Storage node, then the Mounts and Shares tool, and double-click the Shares tool.
Enter every local audit file system in the local host's dfstab(4) file.
Follow the online help to share the /etc/security/audit/hostname directory.
For example, the audit file server egret has the following entries:
share -F nfs -o ro -d "local audit files" /etc/security/audit/egret share -F nfs -o rw=willet:audubon -d "audit files" /etc/security/audit/egret.1 share -F nfs -o rw=grebe:audubon -d "audit files" /etc/security/audit/egret.2 share -F nfs -o rw=sora:audubon -d "audit files" /etc/security/audit/egret.3
The system willet has the following entry:
share -F nfs -o ro -d "local audit files" /etc/security/audit/willet
As role admin at label admin_low
, on audubon, the audit administration server, create a mount point for every audit directory in the Trusted Solaris network.
For example, on the audit administration server audubon:
audubon$ mkdir /etc/security/audit/willet audubon$ mkdir /etc/security/audit/egret audubon$ mkdir /etc/security/audit/egret.1 … |
As role admin, at label admin_low
, enter every audit partition on the network in the audit administration server's vfstab(4) file.
Mount audit directories with the read-write (rw) option. Mount remote partitions using the soft option.
Click the Application Manager, double-click the System_Admin folder, and double-click the Set Mount Points action.
Enter the mount points in the vfstab(4) file.
The following shows part of the vfstab file on audubon:
# egret is the main audit file server egret:/etc/security/audit/egret - /etc/security/audit/egret nfs - yes bg,soft,nopriv egret:/etc/security/audit/egret.1 - /etc/security/audit/egret.1 nfs - yes bg,soft,nopriv egret:/etc/security/audit/egret.2 - /etc/security/audit/egret.2 nfs - yes bg,soft,nopriv egret:/etc/security/audit/egret.3 - /etc/security/audit/egret.3 nfs - yes bg,soft,nopriv willet:/etc/security/audit/willet - /etc/security/audit/willet nfs - yes bg,soft,nopriv …
On each system, create the mount points for the remote audit file servers' partitions that are used by the system, and enter them in the vfstab(4)
file. Do this as role admin, at label admin_low
.
For example, to create the mount points on the system willet:
willet$ mkdir /etc/security/audit/egret willet$ mkdir /etc/security/audit/audubon.2 |
Click the Application Manager, double-click the System_Admin folder, and double-click the Set Mount Points action.
Enter the mount points in the vfstab(4) file.
The following shows part of the vfstab file on willet:
# egret is the main audit file server egret:/etc/security/audit/egret - /etc/security/audit/egret nfs - yes bg,soft,nopriv # audubon is the audit administration server audubon:/etc/security/audit/audubon.2 - /etc/security/audit/audubon.2 nfs - yes nopriv
As role secadmin, at label admin_low
, enter reserve free space in the audit_control(4) file.
Enter a value between 10 and 20 on the minfree: line.
dir:/var/audit flags: minfree:20 naflags:
Write the file and quit the editor.
As role secadmin, at label admin_low
, enter audit storage locations in the audit_control file.
On the first system installed, enter its local audit file system as the value of the dir: line.
The following shows the audit_control file for grebe, the NIS+ root master.
dir:/etc/security/audit/grebe/files flags: minfree:20 naflags:
When the audit file servers have been installed and configured, add their (mounted) filesystem names plus their top-level directory, files to the dir: entry.
The mounted file systems are listed before the system's local file system, as in:
dir:/etc/security/audit/egret/files dir:/etc/security/audit/egret.1/files dir:/etc/security/audit/grebe/files flags: minfree:20 naflags:
Write the file and exit the editor.
As role secadmin in an admin_high
profile shell, execute the audit -s command to have the audit daemon re-read the audit_control file and write audit records to the designated directory.:
$ audit -s |
By default, the audit records have been stored in /var/audit. The audit records will now be stored in the first directory in the audit_control file.
As role secadmin, at label admin_low
, enter system-wide audit flags in the audit_control(4)
file.
Enter the na class in the naflags: line if your site is auditing non-attributable events.
dir:/etc/security/audit/egret/files dir:/etc/security/audit/egret.1/files dir:/etc/security/audit/grebe/files flags: minfree:20 naflags:na
Enter other classes in the flags: line if your system is auditing user-level events.
dir:/etc/security/audit/egret/files dir:/etc/security/audit/egret.1/files dir:/etc/security/audit/grebe/files flags:lo,ad,-all,^-fc minfree:20 naflags:na
See Sample audit_control File for an explanation of the syntax of the audit flags' fields.
Write the file and exit the editor.
On a distributed system, the audit flags in the audit_control file must be identical on every host on the network. See To Distribute Audit Configuration Files for a process to distribute master copies of files to all hosts on the network.
The security administrator at label admin_low
, enters user exceptions to system-wide audit flags in the user's Audit tab.
In the the role secadmin, launch the Solaris Management Console from the Application Manager and choose the toolbox appropriate for your site.
Under the User Accounts node, select a user.
In the user's Audit tab, enter the user exceptions, write the file, and exit the editor.
Follow the online help for assistance. The following example shows the format of the audit_user file.
For example, the following audit_user entry audits the role root for logins and logouts, and never audits the fc class, even if it is being audited for the system. The jane entry audits her for all flags specified in the audit_control file except for successful file_read events. Null events, no, are never audited.
# User Level Audit User File # # File Format # # username:always:never # root:lo:no,fc jane:all,^+fr:no
As role admin, at label admin_low
, create a mail alias to warn of audit trouble.
If you are running a name service, on the master server of the name service, launch the Solaris Management Console from the Application Manager.
Choose the toolbox that your site uses for administration, and select the Users node.
Double-click the Mailing Lists node.
From the Action menu, choose Add mailing list.
Create an alias called audit_warn for notifying its members of audit trouble.
For example, this audit_warn alias emails the security administrator and the system administrator when the auditing subsystem needs attention.
Mailing List Name: audit_warn Mailing List Recipients: secadmin@grebe,admin@grebe
As role secadmin, at label admin_low
, enter permanent audit policy in the audit_startup(1M)
file.
Create a script that calls the auditconfig(1M) command with policy options.
The sample audit_startup(1M) script below adds ACLs to audit records, halts the computer when its audit file systems are full, and at startup, prints the current audit policy to standard i/o.
#!/bin/sh auditconfig -setpolicy +slabel,+acl auditconfig -setpolicy +ahlt auditconfig -getpolicy
Write the file and exit the editor
To run auditing in an evaluated configuration, the cnt policy cannot be turned on; the ahlt policy (the default) cannot be turned off.
In the Trusted Solaris 8 4/01 release, the audit_user file can be a NIS map or a NIS+ table, and does not need to be copied to each host. Sites that do not use a name service will want the same audit_user file on every system. If the site modifies the file on any system, it should be copied to all hosts.
During installation, as root, at label admin_low
, create a directory on the first installed workstation to hold copies of the audit configuration files customized for your site.
For example, on grebe, the first host in a network:
# mkdir /export/home/tmp |
Copy the modified files from the /etc/security directory to the /export/home/tmp directory.
# cp /etc/security/audit_control /export/home/tmp/audit_control # cp /etc/security/audit_warn /export/home/tmp/audit_warn # cp /etc/security/audit_startup /export/home/tmp/audit_startup # cp /etc/security/audit_event /export/home/tmp/audit_event |
The directory would include your customized versions of audit_control, audit_startup, and audit_warn. If you have modified event-to-class mappings, it would include audit_event; if you have created new audit classes, it would include audit_class. It would not include audit_data.
Allocate the tape or diskette device.
Follow the procedure in To Allocate and Deallocate Devices.
Run the tar(1) command to copy the contents of the /export/home/tmp directory to a tape or diskette.
To copy to tape:
# cd /export/home/tmp # tar cv audit_control audit_warn audit_startup audit_event |
To copy to diskette:
# cd /export/home/tmp # tar cvf /dev/diskette \ audit_control audit_warn audit_startup audit_event |
Deallocate the tape or diskette device and follow the instructions.
Follow the procedure in To Deallocate a Device.
As root, at label admin_low
, as each new host is configured, copy the files from the tape or diskette to the correct directory on the new system.
Prepare the directory for the new files.
# cd /etc/security # mv audit_control audit_control.orig # mv audit_startup audit_startup.orig # mv audit_warn audit_warn.orig # mv audit_event audit_event.orig |
Allocate the appropriate device at the label admin_low
.
Follow the procedure in To Allocate and Deallocate Devices.
To copy from tape:
# tar xv audit_control audit_warn audit_startup audit_event |
To copy from diskette:
# tar xvf /dev/diskette \ audit_control audit_warn audit_startup audit_event |
Deallocate the device.
Follow the procedure in To Deallocate a Device.
As role admin, at label admin_low
, modify the audit_control file on each new system with that system's remote and local audit file systems.
The Device Manager allocates and deallocates devices.
In an administrative role workspace at the label required, click the left mouse button on the triangle above the Style Manager icon on the Front Panel.
The Tools subpanel is displayed.
Double-click the device to be allocated.
mag_tape_0 allocates a tape device. floppy_0 allocates a diskette.
Click OK in the label builder that appears.
The file you load will be labeled admin_low
.
Go to the workspace where the Device Manager was allocated.
Double-click the device to deallocate it.
A window appears listing devices being deallocated.
When prompted, remove the tape or diskette from the drive and label it appropriately.
Click the top left button and select Close to close the Device Allocation Manager window.