JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
System Administration Guide: Security Services     Oracle Solaris 11 Express 11/10
search filter icon
search icon

Document Information


Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Using the Basic Audit Reporting Tool (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Role-Based Access Control (Reference)

11.  Privileges (Tasks)

12.  Privileges (Reference)

Part IV Oracle Solaris Cryptographic Services

13.  Oracle Solaris Cryptographic Framework (Overview)

14.  Oracle Solaris Cryptographic Framework (Tasks)

15.  Oracle Solaris Key Management Framework

Part V Authentication Services and Secure Communication

16.  Using Authentication Services (Tasks)

17.  Using PAM

18.  Using SASL

19.  Using Solaris Secure Shell (Tasks)

20.  Solaris Secure Shell (Reference)

Part VI Kerberos Service

21.  Introduction to the Kerberos Service

22.  Planning for the Kerberos Service

23.  Configuring the Kerberos Service (Tasks)

24.  Kerberos Error Messages and Troubleshooting

25.  Administering Kerberos Principals and Policies (Tasks)

26.  Using Kerberos Applications (Tasks)

27.  The Kerberos Service (Reference)

Part VII Oracle Solaris Auditing

28.  Oracle Solaris Auditing (Overview)

29.  Planning for Oracle Solaris Auditing

30.  Managing Oracle Solaris Auditing (Tasks)

31.  Oracle Solaris Auditing (Reference)

Oracle Solaris Audit Service

Audit Commands

audit Command

audit_warn Script

auditconfig Command

auditrecord Command

auditreduce Command

auditstat Command

praudit Command

Files Used in the Audit Service

audit_class File

audit_event File

syslog.conf File

Rights Profiles for Administering Auditing

Auditing and Oracle Solaris Zones

Audit Classes

Definitions of Audit Classes

Audit Class Syntax

Audit Plugins

Audit Policy

Process Audit Characteristics

Audit Trail

Conventions for Binary Audit File Names

Binary Audit File Names

Binary Audit File Timestamps

Audit Record Structure

Audit Record Analysis

Audit Token Formats

acl Token

argument Token

attribute Token

cmd Token

exec_args Token

exec_env Token

file Token

fmri Token

group Token

header Token

ip address Token

ip port Token

ipc Token

IPC_perm Token

path Token

path_attr Token

privilege Token

process Token

return Token

sequence Token

socket Token

subject Token

text Token

trailer Token

use of authorization Token

use of privilege Token

user Token

zonename Token



Audit Commands

This section provides information about the following commands and scripts:

audit Command

The audit command controls the actions of the audit service. The audit service is enabled and refreshed with the audit -s command and disabled with the audit -t command. The audit -n command is used to start a new audit file for the audit_binfile plugin.

For more information, see the audit(1M) man page.

audit_warn Script

The /etc/security/audit_warn script notifies an email alias when the audit service encounters an unusual condition while writing audit records. You can customize this script for your site to warn of conditions that might require manual intervention. Or, you could specify how to handle those conditions automatically.

For all error conditions, the audit_warn script writes a message to syslog with the severity of daemon.alert. You can use syslog.conf to configure console display of syslog messages.

The audit_warn script also sends a message to the audit_warn email alias. You set up this alias as part of audit configuration.

When the audit service detects the following local conditions, the service invokes the audit_warn script. The script sends email to the audit_warn alias.

For further information, see the audit_warn(1M) man page.

auditconfig Command

The auditconfig command retrieves and sets audit configuration parameters. The auditconfig command can do the following tasks:

For a description of the command options, see the auditconfig(1M) man page.

auditrecord Command

The auditrecord command displays the definition of audit events in the /etc/security/audit_event file. The output includes the event's ID, audit class, and the record's audit tokens in order. For examples, see How to Display Audit Record Definitions. Also, see the auditrecord(1M) man page.

auditreduce Command

The auditreduce command post-selects and merges audit records that are stored in binary format. The command can merge audit records from one or more input audit files. The records remain in binary format. For more information, see the auditreduce(1M) man page.

The auditreduce command enables you to track all audited actions on multiple systems from a single location. The command can read the logical combination of all audit files as a single audit trail. You must identically configure all systems at a site for auditing, and create servers and local directories for the audit files. The auditreduce command ignores how the records were generated or where the records are stored. Without options, the auditreduce command merges audit records from all the audit files in all of the subdirectories in the audit root directory. Typically, /var/audit is the audit root directory. The auditreduce command sends the merged results to standard output. You can also place the results into a single, chronologically ordered output file.

The auditreduce command can also select particular types of records for analysis. The merging functions and selecting functions of the auditreduce command are logically independent. The auditreduce command captures data from the input files as the records are read, before the files are merged and then written to disk.

By specifying options to the auditreduce command, you can also do the following:

For a full list of options, see the auditreduce(1M) man page.

With no arguments, the auditreduce command checks the subdirectories within the /var/audit directory, the default audit root directory. The command checks for a files directory in which the start-time.end-time.hostname files reside. The auditreduce command is very useful when audit data resides in separate directories. Figure 31-1 illustrates audit data in separate directories for different hosts.

Figure 31-1 Audit Trail Storage Sorted by Host

Diagram shows a default audit root directory whose top directory names are host names.

If the file system for the /var/audit directory is not used to store audit data, you can pass the auditreduce command another directory by using the -R option:

# auditreduce -R /var/audit-alt 

You can also specify a particular subdirectory by using the -S option:

# auditreduce -S /var/audit-alt/host1 

For other options and more examples, see the auditreduce(1M) man page.

auditstat Command

The auditstat command displays kernel audit statistics. For example, the command can display the number of records in the kernel audit queue, the number of dropped records, and the number of audit records that user processes produced in the kernel as a result of system calls. For a description of the available options, see the auditstat(1M) man page.

praudit Command

The praudit command makes the binary output of the auditreduce command readable. The praudit command reads audit records in binary format from standard input and displays the records in a presentable format. The input can be piped from the auditreduce command or from a single audit file or a list of audit files. Input can also be produced with the tail -0f command for a current audit file.

The praudit command can generate four output formats. A fifth option, -l (long), prints one audit record per line of output. The default is to place one audit token per line of output. The -d option changes the delimiter that is used between token fields and between tokens. The default delimiter is a comma.

In the default output format of the praudit command, each record is easily identified as a sequence of audit tokens. Each token is presented on a separate line. Each record begins with a header token. You could, for example, further process the output with the awk command, as in Example 30-35. For sample output, see How to View the Contents of Binary Audit Files.