System Administration Guide: Security Services

Configuring and Enabling the Audit Service (Tasks)

After the configuration files have been set up for your site, you need to set up disk space for your audit files. You also need to set up other attributes of the audit service, and then enable the service. This section also contains procedures to refresh the audit service when you change configuration settings.

When a non-global zone is installed, you can choose to audit the zone exactly as the global zone is being audited. Alternatively, to audit the non-global zone individually, you can modify the audit configuration files in the non-global zone. To customize audit configuration files, see Configuring Audit Files (Task Map).

ProcedureHow to Create Partitions for Audit Files

The following procedure shows how to create partitions for audit files, as well as the corresponding file systems and directories. Skip steps as necessary, depending on if you already have an empty partition, or if you have already mounted an empty file system.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Determine the amount of disk space that is required.

    Assign at least 200 Mbytes of disk space per host. However, how much auditing you require dictates the disk space requirements. So, your disk space requirements might be far greater than this figure. Remember to include a local partition for a directory of last resort.

  3. Create dedicated audit partitions, as needed.

    This step is most easily done during server installation. You can also create the partitions on disks that have not yet been mounted on the server. For complete instructions on how to create the partitions, see Chapter 11, Administering Disks (Tasks), in System Administration Guide: Devices and File Systems.

    # newfs /dev/rdsk/cwtxdysz

    where /dev/rdsk/cwtxdysz is the raw device name for the partition.

    If the local host is to be audited, also create an audit directory of last resort for the local host.

  4. Create mount points for each new partition.

    # mkdir /var/audit/server-name.n

    where server-name.n is the name of the server plus a number that identifies each partition. The number is optional, but the number is useful when there are many audit directories.

  5. Add entries to automatically mount the new partitions.

    Add a line to the /etc/vfstab file that resembles the following:

    /dev/dsk/cwtxdysz /dev/rdsk/cwtxdysz /var/audit/server-name.n   ufs  2  yes
  6. (Optional) Remove the minimum free space threshold on each partition.

    If you use the default configuration, a warning is generated when the directory is 80 percent full. The warning removes the reason to reserve free space on the partition.

    # tunefs -m 0 /var/audit/server-name.n
  7. Mount the new audit partitions.

    # mount /var/audit/server-name.n
  8. Create audit directories on the new partitions.

    # mkdir /var/audit/server-name.n/files
  9. Correct the permissions on the mount points and new directories.

    # chmod -R 750 /var/audit/server-name.n/files
  10. On a file server, define the file systems to be made available to other hosts.

    Often, disk farms are installed to store the audit records. If an audit directory is to be used by several systems, then the directory must be shared through the NFS service. Add an entry that resembles the following for each directory to the /etc/dfs/dfstab file:

    share -F nfs /var/audit/server-name.n/files
  11. On a file server, restart the NFS service.

    If this command is the first share command or set of share commands that you have initiated, the NFS daemons might not be running.

    • If the NFS service is offline, enable the service.

      % svcs \*nfs\*
      disabled       Nov_02   svc:/network/nfs/rquota:default
      offline        Nov_02   svc:/network/nfs/server:default
      # svcadm enable network/nfs/server
    • If the NFS service is running, restart the service.

      % svcs \*nfs\*
      online         Nov_02   svc:/network/nfs/client:default
      online         Nov_02   svc:/network/nfs/server:default
      # svcadm restart network/nfs/server

    For more information about the NFS service, refer to Setting Up NFS Services in System Administration Guide: Network Services. For information on managing persistent services, see Chapter 18, Managing Services (Overview), in System Administration Guide: Basic Administration and the smf(5) man page.

Example 30–13 Creating an Audit Directory of Last Resort

All systems that run the auditing service should have a local file system that can be used if no other file system is available. In this example, a file system is being added to a system that is named egret. Because this file system is only used locally, none of the steps for a file server are necessary.

# newfs /dev/rdsk/c0t2d0
# mkdir /var/audit/egret
# grep egret /etc/vfstab
/dev/dsk/c0t2d0s1  /dev/rdsk/c0t2d0s1  /var/audit/egret ufs  2  yes  -
# tunefs -m 0 /var/audit/egret
# mount /var/audit/egret
# mkdir /var/audit/egret/files
# chmod -R 750 /var/audit/egret/files

Example 30–14 Creating New Audit Partitions

In this example, a new file system is created on two new disks that are to be used by other systems in the network.

# newfs /dev/rdsk/c0t2d0
# newfs /dev/rdsk/c0t2d1
# mkdir /var/audit/egret.1
# mkdir /var/audit/egret.2
# grep egret /etc/vfstab
/dev/dsk/c0t2d0s1  /dev/rdsk/c0t2d0s1  /var/audit/egret.1 ufs  2  yes  -
/dev/dsk/c0t2d1s1  /dev/rdsk/c0t2d1s1  /var/audit/egret.2 ufs  2  yes  -
# tunefs -m 0 /var/audit/egret.1
# tunefs -m 0 /var/audit/egret.2
# mount /var/audit/egret.1
# mount /var/audit/egret.2
# mkdir /var/audit/egret.1/files
# mkdir /var/audit/egret.2/files
# chmod -R 750 /var/audit/egret.1/files /var/audit/egret.2/files
# grep egret /etc/dfs/dfstab
 share -F nfs /var/audit/egret.1/files
 share -F nfs /var/audit/egret.2/files
# svcadm enable network/nfs/server

Example 30–15 Creating ZFS Audit Partitions

In this example, the administrator runs the script command after the ZFS audit partitions are created. The following is the output of the command:

# zpool create auditf mirror c0t4d0 c0t5d0
# zfs create -o mountpoint=/audit auditf/audit
# zfs create auditf/audit/noddy
# zfs create auditf/audit/noddy/files
# zfs create auditf/audit/blinken
# zfs create auditf/audit/blinken/files
# zfs set devices=off auditf/audit
# zfs set exec=off auditf/audit
# zfs set setuid=off auditf/audit
# zfs set sharenfs=on auditf/audit
# share
-               /audit/blinken/files   rw   ""
-               /audit/noddy   rw   ""
-               /audit/blinken   rw   ""
-               /audit/noddy/files   rw   ""
-               /audit   rw   ""
# ^D
script done on Fri Apr 10 10:10:20 2009

The administrator then views the mounts from the remote system, remotesys.

# dfshares remotesys
RESOURCE                             SERVER ACCESS    TRANSPORT
remotesys:/audit/blinken/files       remotesys  -         -
remotesys:/audit/noddy               remotesys  -         -
remotesys:/audit/blinken             remotesys  -         -
remotesys:/audit/noddy/files         remotesys  -         -
remotesys:/audit                     remotesys  -         -

Finally, the administrator mounts the /audit file system on /var/audit.

# mount remotesys:/audit /var/audit
# ls /var/audit
blinken  noddy 

ProcedureHow to Configure the audit_warn Email Alias

The audit_warn script generates mail to an email alias that is called audit_warn. To send this mail to a valid email address, you can follow one of the options that are described in Step 2:

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Configure the audit_warn email alias.

    Choose one of the following options:

    • OPTION 1 – Replace the audit_warn email alias with another email account in the audit_warn script.

      Change the email alias in the following line of the script:

      ADDRESS=audit_warn            # standard alias for audit alerts
    • OPTION 2 – Redirect the audit_warn email to another mail account.

      In this case, you would add the audit_warn email alias to the appropriate mail aliases file. You could add the alias to the local /etc/mail/aliases file or to the mail_aliases database in the name space. The new entry would resemble the following if the root mail account was made a member of the audit_warn email alias:

      audit_warn: root

ProcedureHow to Configure Audit Policy

Audit policy determines the characteristics of the audit records for the local host. When auditing is enabled, the contents of the /etc/security/audit_startup file determine the audit policy.

You can inspect and change the current audit policy options with the auditconfig command. You can also modify the policy options to the auditconfig command in the audit_startup script to make permanent audit policy changes.

  1. Assume a role that includes the Audit Control profile, or become superuser.

    To create a role that includes the Audit Control profile and to assign the role to a user, see Configuring RBAC (Task Map).

  2. Review the audit policy.

    Before auditing is enabled, the contents of the audit_startup file determine the audit policy:

    #! /bin/sh
    /usr/bin/echo "Starting BSM services."
    /usr/sbin/auditconfig -setpolicy +cnt Counts rather than drops records
    /usr/sbin/auditconfig -conf  Configures event-class mappings
    /usr/sbin/auditconfig -aconf Configures nonattributable events
  3. View the available policy options.

    $ auditconfig -lspolicy

    Note –

    The perzone and ahlt policy options can be set only in the global zone.

  4. Enable or disable selected audit policy options.

    # auditconfig -setpolicy prefixpolicy

    A prefix value of + enables the policy option. A prefix value of - disables the policy option.


    Selects the policy to be enabled or to be disabled.

    The policy is in effect until the next boot, or until the policy is modified by the auditconfig -setpolicy command.

    For a description of each policy option, see Determining Audit Policy.

Example 30–16 Setting the cnt and ahlt Audit Policy Options

In this example, the cnt policy is disabled, and the ahlt policy is enabled. With these settings, system use is halted when the audit partitions are full and an asynchronous event occurs. When a synchronous event occurs, the process that created the thread hangs. These settings are appropriate when security is more important than availability.

The following audit_startup entries disable the cnt policy option and enable the ahlt policy option across reboots:

# cat /etc/security/audit_startup
/usr/bin/echo "Starting BSM services."
/usr/sbin/deallocate -Is
/usr/sbin/auditconfig -conf
/usr/sbin/auditconfig -aconf
/usr/sbin/auditconfig -setpolicy -cnt	
/usr/sbin/auditconfig -setpolicy +ahlt

Example 30–17 Setting the seq Audit Policy Temporarily

In this example, the auditd daemon is running and the ahlt audit policy has been set. The seq audit policy is added to the current policy. The seq policy adds a sequence token to every audit record. This is useful for debugging the auditing service when audit records are corrupted, or when records are being dropped.

The + prefix adds the seq option to the audit policy, rather than replaces the current audit policy with seq. The auditconfig command puts the policy in effect until the next invocation of the command, or until the next boot.

$ auditconfig -setpolicy +seq
$ auditconfig -getpolicy
audit policies = ahlt,seq	

Example 30–18 Setting the perzone Audit Policy

In this example, the perzone audit policy is set in the audit_startup script in the global zone. When a zone boots, the non-global zone collects audit records according to the audit configuration settings in its zone.

$ cat /etc/security/audit_startup
/usr/bin/echo "Starting BSM services."
/usr/sbin/deallocate -Is
/usr/sbin/auditconfig -conf
/usr/sbin/auditconfig -aconf
/usr/sbin/auditconfig -setpolicy +perzone
/usr/sbin/auditconfig -setpolicy +cnt

Example 30–19 Changing an Audit Policy

In this example, the audit daemon is running and audit policy has been set. The auditconfig command changes the ahlt and cnt policies for the duration of the session. With these settings, audit records are dropped, but counted, when the audit file system is full. For restrictions on setting the ahlt policy, see Step 3.

$ auditconfig -setpolicy +cnt
$ auditconfig -setpolicy -ahlt
$ auditconfig -getpolicy
audit policies = cnt,seq

When the changes are put in the audit_startup file, the policies are permanently in effect:

$ cat /etc/security/audit_startup
/usr/bin/echo "Starting BSM services."
/usr/sbin/deallocate -Is
/usr/sbin/auditconfig -conf
/usr/sbin/auditconfig -aconf
/usr/sbin/auditconfig -setpolicy +cnt

The -ahlt option does not have to be specified in the file, because the ahlt policy option is disabled by default. This setting is appropriate when availability is more important than the security that audit records provide.

ProcedureHow to Enable the Audit Service

This procedure enables the audit service for all zones. To start the audit daemon in a non-global zone, see Example 30–20.

When auditing is configured securely, the system is in single-user mode until auditing is enabled. You can also enable auditing in multiuser mode.

Before You Begin

You should perform this procedure as superuser after completing the following tasks:

Note –

Host name translation must be working correctly for auditing to function. The hosts database in the naming services must be correctly configured and functioning.

For configuration of the hosts database, see the nsswitch.conf(4) and netconfig(4) man pages. For additional information, see the System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) or the System Administration Guide: Naming and Directory Services (NIS+).

  1. Run the script that enables the audit service.

    Go to the /etc/security directory, and execute the bsmconv script there.

    # cd /etc/security
    # ./bsmconv
    This script is used to enable the Basic Security Module (BSM).
    Shall we continue with the conversion now? [y/n] y
    bsmconv: INFO: checking startup file.
    bsmconv: INFO: turning on audit module.
    bsmconv: INFO: initializing device allocation.
    The Basic Security Module is ready.
    If there were any errors, please fix them now.
    Configure BSM by editing files located in /etc/security.
    Reboot this system now to come up with BSM enabled.

    For the effects of the script, see the bsmconv(1M) man page.

  2. Reboot the system.

    # reboot

    The startup file /etc/security/audit_startup causes the auditd daemon to run automatically when the system enters multiuser mode.

    Another effect of the script is to turn on device allocation. To configure device allocation, see Managing Device Allocation (Task Map).

Example 30–20 Enabling Auditing in a Non-Global Zone

In the following example, the global zone administrator turned on perzone policy after auditing was enabled in the global zone and after the non-global zone had booted. The zone administrator of the non-global zone has configured the audit files for the zone, and then starts the audit daemon in the zone.

zone1# svcadm enable svc:/system/auditd

ProcedureHow to Disable the Audit Service

If the audit service is no longer required at some point, this procedure returns the system to the system state before auditing was enabled. If non-global zones are being audited, their audit service is also disabled.

Caution – Caution –

This command also disables device allocation. Do not run this command if you want to be able to allocate devices. To disable auditing and retain device allocation, see Example 30–21.

  1. Become superuser and bring the system into single-user mode.

    % su
    Password: <Type root password>
    # init S

    For more information, see the init(1M) man page.

  2. Run the script to disable auditing.

    Change to the /etc/security directory, and execute the bsmunconv script.

    # cd /etc/security
    # ./bsmunconv

    Another effect of the script is to disable device allocation.

    For information on the full effect of the bsmunconv script, see the bsmconv(1M) man page.

  3. Bring the system into multiuser mode.

    # init 6

Example 30–21 Disabling Auditing and Keeping Device Allocation

In this example, the audit service stops collecting records, but device allocation continues to work. All values from the flags, naflags, and plugin entries in the audit_control file are removed, as are all user entries in the audit_user file.

## audit_control file

## audit_user file

The auditd daemon runs, but no audit records are kept.

Example 30–22 Disabling Auditing on a Per-Zone Basis

In this example, the audit service stops running in zone1 where the audit service is disabled. Device allocation continues to work. When this command is run in the global zone, and the perzone audit policy is not set, auditing is disabled for all zones, not just the global zone.

zone1 # audit -t

ProcedureHow to Update the Audit Service

This procedure restarts the auditd daemon when you have made changes to audit configuration files after the daemon has been running.

  1. Assume a role that includes the Audit Control rights profile, or become superuser.

    To create a role that includes the Audit Control rights profile and assign the role to a user, see Configuring RBAC (Task Map).

  2. Choose the appropriate command.

    • If you modify the naflags line in the audit_control file, change the kernel mask for nonattributable events.

      $ /usr/sbin/auditconfig -aconf

      You can also reboot.

    • If you modify other lines in the audit_control file, reread the audit_control file.

      The audit daemon stores information from the audit_control file internally. To use the new information, either reboot the system or instruct the audit daemon to read the modified file.

      $ /usr/sbin/audit -s

      Note –

      Audit records are generated based on the audit preselection mask that is associated with each process. Executing audit -s does not change the masks in existing processes. To change the preselection mask for an existing process, you must restart the process. You can also reboot.

      The audit -s command causes the audit daemon to re-read the directory and minfree values from the audit_control file. The command changes the generation of the preselection mask for processes spawned by subsequent logins.

    • If you modify the audit_event file or the audit_class file while the audit daemon is running, refresh the audit service.

      Read the modified event-class mappings into the system, and ensure that each user who uses the machine is correctly audited.

      $ auditconfig -conf
      $ auditconfig -setumask auid classes

      Is the user ID.


      Are the preselected audit classes.

      For an example, see How to Modify a User's Preselection Mask.

    • To change audit policy on a running system, see Example 30–17.

Example 30–23 Restarting the Audit Daemon

In this example, the system is brought down to single-user mode, then back up to multiuser mode. When the system is brought into multiuser mode, modified audit configuration files are read into the system.

# init S
# init 6