Audit Configuration

C H A P T E R 6

Audit Configuration

Entry-level servers can have a single domain, while midrange and high-end servers can run one or multiple domains. Those domains must be as secure as if they were running on physically separate servers. To help ensure that level of security, XSCF firmware provides the audit measures described in this chapter.

This chapter contains these sections:

About Auditing

XSCF Shell Procedures for Auditing

Related Information

About Auditing

The server logs all Service Processor events that could be relevant to security, such as system startup and shutdown, user login and logout, and privilege changes.

An audit record contains information about a single event, what caused it, the time it occurred, and other relevant information. A collection of audit records that are linked is called an audit trail. An audit trail can reveal suspicious or abnormal patterns of system behavior, in addition to identifying which user was responsible for a particular event.

Auditing is implemented through:

Audit Records

Audit Events

Audit Classes

Audit Policy

Audit File Tools

Audit Records

Audit records are stored in audit files on a 4-megabyte file system on the Service Processor. You cannot change the size reserved for the audit files, but you can transfer the files manually to remote storage at any time. You can also configure auditing for automatic transfers.

Audit files are stored in binary format, although you can export them to XML.

The audit file system switches storage between two partitions. Audit records are stored in one partition until it becomes full, then new records are stored in the other partition. Records in a full partition can be moved to a remote location, according to the audit policy.

If audit policy or network problems impede remote storage, the system generates an alarm. You can clear space by manually transferring the files to remote storage or by deleting them. Until you clear space, new records are dropped.

Because local space is limited to 4 megabytes, the partitions fill up quickly. If you do not configure audit policy to automatically transfer files to remote storage, you will have to intervene frequently or begin to drop records. If you are unable to maintain consistent audit trails, the utility of the audit system is limited. Typically, you either set up sufficient remote space and automatic transfers or disable the audit capability.

Audit Events

Audit events are:

Changes to the Service Processor configuration, for example, an IP address change

Any request to perform an operation on an object protected by the access control policy

All use of authentication

Tests of password strength, for example, tests done by the password command to check whether a password contains enough non alphabetical characters

Modifications to the access control attributes associated with an object, for example, changes to controls on which domains a board might be in

Changes made to user security attributes, for example, password or privileges

Reading information from the audit records (including unsuccessful attempts)

Modifications to the audit policy

Actions taken due to the exceeding of a audit trail size threshold

Actions taken due to audit storage failure

Modifications made by administrators to the audit trail

Changes to the time

The minimum data recorded for each event includes:

Date and time of the event

Type of event

Who caused the event

Outcome of the event (success or failure)

Audit Classes

Audit classes are categories for grouping and sorting audit events. The server provides a predefined set of audit classes, for example, log-in events and service-related events. You cannot define additional audit classes or change the events in a class. See the setaudit(8) man page for a list of audit classes.

Audit Policy

Audit policy determines how the auditing feature is implemented at your site. You can configure the following aspects of auditing:

Whether it is enabled or disabled

Types of event that are audited

Which users have their events audited

Remote directories for storing audit records

Threshold of local capacity at which a warning is issued

Action when both audit partitions are full

The default audit policy is as follows:

Auditing is enabled

Records are dropped and counted when the audit trail is full

All events are enabled for auditing

Global user audit policy is set to enabled

Per-user audit policy for all users is set to default (that is, enabled)

Audit warning thresholds are set at 80 percent and 100 percent full

Email warnings are disabled

Audit File Tools

You can manage audit files from the Service Processor, using a tool for viewing audit files. See the viewaudit(8) man page for details on this tool.

XSCF Shell Procedures for Auditing

This section describes these tasks:

To Enable or Disable Writing of Audit Records to the Audit Trail

To Configure an Auditing Policy

To Display Whether Auditing is Enabled Or Disabled

To Display Current Auditing Policy, Classes, or Events

To Enable or Disable Writing of Audit Records to the Audit Trail

1. Log in to the XSCF console with auditadm privileges.

2. Type the setaudit command:

XSCF> setaudit enable|disable

where enable enables writing of audit records, and disable disables writing of audit records.

To Configure an Auditing Policy

1. Log in to the XSCF console with auditadm privileges.

2. Type the setaudit command:

XSCF> setaudit [-p count|suspend] [-m mailaddr] [-a users=enable|disable|default] [-c classes={enable|disable}] [-e events=enable|disable] [-g {enable|disable}] [-t percents]

See the setaudit(8) man page for details on option information.

3. Verify the operation with the showaudit all command:

XSCF> showaudit all

To Display Whether Auditing is Enabled Or Disabled

1. Log in to the XSCF console with auditadm privileges.

2. Type the showaudit command:

XSCF> showaudit
Auditing: enabled

To Display Current Auditing Policy, Classes, or Events

1. Log in to the XSCF console with auditadm privileges.

2. Type the showaudit all command:

XSCF> showaudit all

Related Information

For additional information on this chapter’s topics, see:

Resource	Information
`man` pages	`setaudit`(8), `showaudit`(8), `viewaudit`(8)
SPARC Enterprise M3000/M4000/M5000/M8000/M9000 Servers XSCF User’s Guide	Audit administration