| Skip Navigation Links | |
| Exit Print View | |
|
System Administration Guide: Security Services Oracle Solaris 11 Express 11/10 |
| Skip Navigation Links | |
| Exit Print View | |
|
|
System Administration Guide: Security Services Oracle Solaris 11 Express 11/10 |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Using the Basic Audit Reporting Tool (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Part IV Oracle Solaris Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
19. Using Solaris Secure Shell (Tasks)
20. Solaris Secure Shell (Reference)
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Oracle Solaris Auditing
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Oracle Solaris Auditing (Tasks)
Oracle Solaris Auditing (Task Map)
Configuring the Audit Service (Tasks)
Configuring the Audit Service (Task Map)
How to Display Audit Service Defaults
How to Preselect Audit Classes
How to Configure a User's Audit Characteristics
How to Change Audit Queue Controls
How to Create ZFS File Systems for Audit Files
How to Assign Audit Space for the Audit Trail
How to Send Audit Files to a Remote Repository
How to Configure syslog Audit Logs
Configuring the Audit Service in Zones (Tasks)
How to Configure All Zones Identically for Auditing
How to Configure Per-Zone Auditing
Enabling and Disabling the Audit Service (Tasks)
How to Enable the Audit Service
How to Disable the Audit Service
How to Refresh the Audit Service
Managing Audit Records on Local Systems (Tasks)
Managing Audit Records on Local Systems (Task Map)
How to Display Audit Record Definitions
How to Merge Audit Files From the Audit Trail
How to Select Audit Events From the Audit Trail
How to View the Contents of Binary Audit Files
How to Clean Up a not_terminated Audit File
How to Prevent Audit Trail Overflow
Troubleshooting the Audit Service (Tasks)
Troubleshooting the Audit Service (Task Map)
How to Determine That Oracle Solaris Auditing Is Running
How to Lessen the Volume of Audit Records That Are Produced
How to Audit All Commands by Users
How to Find Audit Records of Changes to Specific Files
How to Update a User's Preselection Mask
How to Prevent the Auditing of Specific Events
How to Limit the Size of Binary Audit Files
How to Compress Audit Files on a Dedicated File System
How to Audit Logins From Other Operating Systems
How to Audit FTP and SFTP File Transfers
Before you enable auditing on your network, you can modify the defaults to satisfy your site auditing requirements. Best practice is to customize your audit configuration as much as possible before the first users log in.
If you have implemented zones, you can choose to audit all zones from the global zone. Alternatively, to audit non-global zones individually, you can set the perzone policy in the global zone. In the perzone configuration, each non-global zone administrator manages auditing in their non-global zone. For an overview, see Auditing and Oracle Solaris Zones. For planning, see How to Plan Auditing in Zones. For procedures, see Configuring the Audit Service in Zones (Tasks).
The following task map points to the procedures for configuring auditing. All tasks are optional.
|
The commands in this procedure display the current audit configuration. The output in this procedure is taken from an unconfigured system.
You must be assigned the Audit Configuration or Audit Control rights profile.
For more information, see How to Obtain Administrative Rights.
# auditconfig -getflags active user default audit flags = lo(0x1000,0x1000) configured user default audit flags = lo(0x1000,0x1000)
lo is the flag for the login/logout audit class. The format of the mask output is (success,failure).
# auditconfig -getnaflags active non-attributable audit flags = lo(0x1000,0x1000) configured non-attributable audit flags = lo(0x1000,0x1000)
To see which events are assigned to a class, and therefore which events are being recorded, run the auditrecord -c class command.
$ auditconfig -getpolicy configured audit policies = cnt active audit policies = cnt
The active policy is the policy that is currently used by the kernel, but is not a property of the audit service. The configured policy is a property of the audit service, so is restored when you restart the audit service.
$ auditconfig -getplugin
Plugin: audit_binfile (active)
Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=0;
Plugin: audit_syslog (inactive)
Attributes: p_flags=;
Plugin: audit_remote (inactive)
Attributes: p_hosts=;p_retries=3;p_timeout=5;The audit_binfile plugin is active by default.
$ auditconfig -getqctrl no configured audit queue hiwater mark no configured audit queue lowater mark no configured audit queue buffer size no configured audit queue delay active audit queue hiwater mark (records) = 100 active audit queue lowater mark (records) = 10 active audit queue buffer size (bytes) = 8192 active audit queue delay (ticks) = 20
The active policy is the policy that is currently used by the kernel. The string no configured indicates that the system is using the default settings.
For each logged in user, display the value of the audit_flags keyword.
# who adoe pts/1 Oct 10 10:20 (:0.0) adoe pts/2 Oct 10 10:20 (:0.0) jdoe pts/5 Oct 12 12:20 (:0.0) jdoe pts/6 Oct 12 12:20 (:0.0) ... # userattr audit_flags adoe # userattr audit_flags jdoe
By default, users are audited for the system-wide settings only.
For a description of the userattr command, see the userattr(1) man page.
Example 30-1 Resetting the Audit Service to the Defaults
For testing purposes, the administrator sets a configured audit service to the defaults. The administrator also removes user exceptions to the system-wide audit flags.
# auditconfig -setflags lo # auditconfig -setnaflags lo # auditconfig -setpolicy cnt
When the administrator sets the plugins to their defaults, the final double quote ("") sets the queue size for the plugin to the default.
# auditconfig -setplugin audit_binfile active \ "p_dir=/var/audit;p_fsize=;p_minfree=" "" # auditconfig -setplugin audit_remote inactive "p_hosts=;p_retries=;p_timeout=" "" # auditconfig -setplugin audit_syslog inactive p_flags= ""
The administrator uses the who -q command to determine who is using the system. See the who(1) man page.
# who -q jdoe jdoe jdoe # users=1
The administrator uses the usermod command to remove jdoe's user-specific audit flags.
# usermod -K audit_flags= jdoe
To activate the new plugin configurations, the administrator refreshes the audit service.
# audit -s
The auditconfig command is used to configure system-wide auditing for attributable and non-attributable events.
You must be assigned the Audit Configuration rights profile.
For more information, see How to Obtain Administrative Rights.
Use the -getflags and -getnaflags options to the auditconfig command, as shown in How to Display Audit Service Defaults.
To see which events are assigned to a class, and therefore which events are being recorded, use the auditrecord -c class command, as shown in Example 30-24.
Preselect the attributable and non-attributable classes.
# auditconfig -setflags lo,ps,fw user default audit flags = ps,lo,fw(0x101002,0x101002)
This command audits the events in the three classes for success and for failure.
# auditconfig -setnaflags lo,na non-attributable audit flags = lo,na(0x1400,0x1400)
This command audits the events in the na class, and the login events that are not attributable. lo and na are the only legal arguments to the -setnaflags option.
Note - The auditconfig -set*flags commands do not add classes to the current kernel defaults. These commands replace the kernel defaults, so you must specify all classes that you want to preselect.
Audit class preselections for each user are specified by the audit_flags keyword and are stored in the user_attr database and prof_attr database. These definitions, plus the preselected classes for the system, determine the user's audit mask, as described in Process Audit Characteristics. The nsswitch.conf file determines if the local user attributes file or a naming service attributes database is used.
You must be assigned the User Security Audit Configuration by GA? rights profile.
For more information, see How to Obtain Administrative Rights.
# usermod -K audit_flags=fw:no jdoe
The format of the audit_flags keyword is always-audit:never-audit, where
Lists the audit classes that are exceptions for this user. Exceptions to the system-wide classes are prefixed by a caret (^). Added classes are not prefixed by a caret.
Lists the audit classes that are never audited for the user, even if these audit events are audited system-wide. Exceptions to the system-wide classes are prefixed by a caret (^).
To specify multiple audit classes, separate the classes with commas. For more information, see the audit_flags(5) man page.
# profiles -K audit_flags=fw,as:no "System Administrator"
When you assign the rights profile to a user or a role, that user or role is audited for those flags.
Example 30-2 Changing Which Events Are Audited for One User
In this example, the audit preselection mask for all users is the following:
# auditconfig -getflags active user default audit flags = ss,lo(0x11000,0x11000) configured user default audit flags = ss,lo(0x11000,0x11000)
The administrator preselects the pf class for the jdoe user. The pf class is created in Example 30-10.
# usermod -K audit_flags=pf:no jdoe
The userattr command shows the addition.
# userattr audit_flags jdoe pf:no
The audit preselection mask for jdoe is a combination of the audit_flags settings with the system default settings. 289 is the PID of jdoe's login shell.
# auditconfig -getpinfo 289 audit id = jdoe(1234) process preselection mask = ss,pf,lo(0x8011000,0x8011000) terminal id (maj,min,host) = 242,511,example1(192.168.160.171) audit session id = 103203403
Example 30-3 Making an Audit Preselection Exception for One User
In this example, the audit preselection mask for all users is the following:
# auditconfig -getflags active user default audit flags = ss,lo(0x11000,0x11000) configured user default audit flags = ss,lo(0x11000,0x11000)
The administrator does not collect failed ss events for the jdoe user.
# usermod -K audit_flags=^-ss:no jdoe
The userattr command shows the exception.
# userattr audit_flags jdoe ^-ss:no
The audit preselection mask for jdoe is a combination of the audit_flags settings with the system default settings. 289 is the PID of jdoe's login shell.
# auditconfig -getpinfo 289 audit id = jdoe(1234) process preselection mask = +ss,lo(0x11000,0x1000) terminal id (maj,min,host) = 242,511,example1(192.168.160.171) audit session id = 103203403
Example 30-4 Auditing for Selected Users, Not All Users
In this example, the login and role activities of four users only are audited on this system. No audit classes are preselected for the system.
First, the administrator removes all system-wide flags.
# auditconfig -setflags no user default audit flags = no(0x0,0x0)
Then, the administrator preselects two audit classes for four users. The pf class is created in Example 30-10.
# usermod -K audit_flags=lo,pf:no jdoe # usermod -K audit_flags=lo,pf:no kdoe # usermod -K audit_flags=lo,pf:no pdoe # usermod -K audit_flags=lo,pf:no zdoe
Then, the administrator preselects the lo and pf classes for the root role.
# userattr audit_flags root # rolemod -K audit_flags=lo,pf:no root
To continue to record unwarranted intrusion, the administrator does not change the auditing of non-attributable logins:
# auditconfig -getnaflags active non-attributable audit flags = lo(0x1000,0x1000) configured non-attributable audit flags = lo(0x1000,0x1000)
Example 30-5 Removing a User's Audit Flags
In the following example, the administrator removes all user-specific audit flags.
First, the administrator confirms that the users for whom audit flags are set are not logged in.
# who | grep jdoe # who | grep kdoe # who | grep ldoe
Then, the administrator runs the usermod command with the audit_flags keyword set to no value.
# usermod -K audit_flags= jdoe # usermod -K audit_flags= kdoe # usermod -K audit_flags= ldoe
Finally, the administrator verifies the removal.
# userattr jdoe # userattr kdoe # userattr ldoe
Audit policy determines the characteristics of the audit records for the local host. You can inspect, change, and temporarily change audit policies with the auditconfig command.
You must be assigned the Audit Configuration rights profile.
For more information, see How to Obtain Administrative Rights.
Use the -getpolicy option to the auditconfig command, as shown in How to Display Audit Service Defaults.
$ auditconfig -lspolicy policy string description: ahlt halt machine if it can not record an async event all all policies for the zone arge include exec environment args in audit recs argv include exec command line args in audit recs cnt when no more space, drop recs and keep a cnt group include supplementary groups in audit recs none no policies path allow multiple paths per event perzone use a separate queue and auditd per zone public audit public files seq include a sequence number in audit recs trail include trailer token in audit recs windata_down include downgraded window information in audit recs windata_up include upgraded window information in audit recs zonename include zonename token in audit recs
Note - The perzone and ahlt policy options can only be set in the global zone.
# auditconfig [ -t ] -setpolicy [prefix]policy[,policy...]
Optional. Creates a temporary, or active, policy. The policy setting is not restored when you restart the audit service.
A prefix value of + adds the list of policies to the current policy. A prefix value of - removes the list of policies from the current policy. Without a prefix, audit policy is reset.
Selects the policy to be enabled or to be disabled.
A temporary policy is in effect until the audit service is refreshed, or until the policy is modified by the auditconfig -setpolicy command.
For a description of each policy option, see Determining Audit Policy.
Example 30-6 Setting the ahlt Audit Policy Option
In this example, the cnt policy is disabled, and the ahlt policy is enabled. With these settings, system use is halted when the audit queues are full and an asynchronous event occurs. When a synchronous event occurs, the process that created the thread hangs. These settings are appropriate when security is more important than availability. For more information, see Audit Policies for Asynchronous and Synchronous Events.
# auditconfig -setpolicy -cnt # auditconfig -setpolicy +ahlt
The plus sign (+) before the ahlt policy adds the policy to current policy settings. Without the plus sign, the ahlt policy replaces current policy settings.
Example 30-7 Setting a Temporary Audit Policy
In this example, the audit service is enabled and the ahlt audit policy is configured. The administrator adds the trail audit policy to the active policy (+trail), but does not configure the audit service to use the trail audit policy permanently (-t). The trail policy aids in the recovery of damaged audit trails.
$ auditconfig -setpolicy ahlt $ auditconfig -getpolicy configured audit policies = ahlt active audit policies = ahlt $ auditconfig -t -setpolicy +trail configured audit policies = ahlt active audit policies = ahlt,trail
The administrator unsets the seq policy when the debugging is completed.
$ auditconfig -setpolicy -trail $ auditconfig -getpolicy configured audit policies = ahlt active audit policies = ahlt
Refreshing the audit service also removes this temporary policy, plus any other temporary settings in the audit service. For examples of other temporary settings, see How to Change Audit Queue Controls.
Example 30-8 Setting the perzone Audit Policy
In this example, the perzone audit policy is added to existing policy in the global zone. The perzone policy setting is stored as a property of the audit service, so perzone policy is in effect during the session and when the audit service is restarted.
$ auditconfig -getpolicy configured audit policies = cnt active audit policies = cnt $ auditconfig -setpolicy +perzone $ auditconfig -getpolicy configured audit policies = perzone,cnt active audit policies = perzone,cnt
The audit service provides default values for audit queue parameters. You can inspect, change, and temporarily change these values with the auditconfig command.
You must be assigned the Audit Configuration rights profile.
For more information, see How to Obtain Administrative Rights.
Use the -getqctrl option to the auditconfig command, as shown in How to Display Audit Service Defaults.
For a description of the audit queue parameters, see the auditconfig(1M) man page.
To modify some or all audit queue parameters, use the -setqctrl option.
# auditconfig [ -t ] -setqctrl hiwater lowater bufsz interval
To modify a specific audit queue parameter, use the specific option. The -setqdelay option is the equivalent of -setqctrl 0 0 0 interval.
# auditconfig [ -t ] -setqhiwater value # auditconfig [ -t ] -setqlowater value # auditconfig [ -t ] -setqbufsz value # auditconfig [ -t ] -setqdelay value
For more examples, see the auditconfig(1M) man page.
Example 30-9 Resetting an Audit Queue Control to the Default
The administrator sets all queue controls, then changes the lowater value in the repository back to the default.
# auditconfig -setqctrl 200 5 10216 10 # auditconfig -setqctrl 200 0 10216 10 configured audit queue hiwater mark (records) = 200 no configured audit queue lowater mark configured audit queue buffer size (bytes) = 10216 configured audit queue delay (ticks) = 10 active audit queue hiwater mark (records) = 200 active audit queue lowater mark (records) = 5 active audit queue buffer size (bytes) = 10216 active audit queue delay (ticks) = 10
Later, the administrator decides to set the lowater value to the default for the current session.
# auditconfig -setqlowater 10 # auditconfig -getqlowater configured audit queue lowater mark (records) = 10 active audit queue lowater mark (records) = 10
The /etc/security/audit_warn script generates mail to an email alias that is called audit_warn. To send this mail to a valid email address, you can follow one of the options that are described in Step 2:
Choose one of the following options:
OPTION 1 – Replace the audit_warn email alias with another email alias in the audit_warn script.
Change the email alias in the following line of the script:
ADDRESS=audit_warn # standard alias for audit alerts
OPTION 2 – Redirect the audit_warn email to another mail account.
In this case, you would add the audit_warn email alias to the appropriate mail aliases file. You could add the alias to the local /etc/mail/aliases file or to the mail_aliases database in the naming service. The new entry would appear similar to the following if the root mail account was made a member of the audit_warn email alias:
audit_warn: root
Then run the newaliases command to rebuild the random access database for the aliases file.
# newaliases /etc/mail/aliases: 14 aliases, longest 10 bytes, 156 bytes total
Note - If the perzone policy is set, the non-global zone administrator must configure the audit_warn alias in the non-global zone.
When you create your own audit class, you can place into it just those audit events that you want to audit for your site. When you add the class on one system, copy the change to all systems that are being audited. Best practice is to create audit classes before enabling the audit service.
Note - You must choose free bits. Your choice can be overwritten by a future release of the Oracle Solaris OS.
# cp /etc/security/audit_class /etc/security/audit_class.orig
Each entry has the following format:
0xnumber:flag:description
The entry must be unique in the file. Do not use existing audit class masks. For a description of the fields, see the audit_class(4) man page. For the list of classes, review the /etc/security/audit_class file. For an alphabetical listing, see Definitions of Audit Classes.
Example 30-10 Creating a New Audit Class
This example creates a class to hold an administrative commands that are executed in a role. The added entry to the audit_class file is as follows:
0x08000000:pf:profile command
The entry creates the new pf audit class. Example 30-11 populates the new audit class.
If you have customized the audit_class file, make sure that any user exceptions to the system audit preselection mask are consistent with the new audit classes. Errors occur when an audit_flags value is not a subset of the audit_class file.
You might want to change an audit event's class membership to reduce the size of an existing audit class, or to place the event in a class of its own. When you reconfigure audit event-class mappings on one system, copy the change to all systems that are being audited. Best practice is to change event-class mappings before users log in.
# cp /etc/security/audit_event /etc/security/audit_event.orig
Each entry has the following format:
number:name:description:class-list
Is the audit event ID.
Is the name of the audit event.
Typically, the system call or executable that triggers the creation of an audit record.
Is a comma-separated list of audit classes.
Example 30-11 Mapping Existing Audit Events to a New Class
This example maps an existing audit event to the new class that was created in Example 30-10. By default, the AUE_PFEXEC audit event is mapped to four classes, ps, ex, ua, and as. The new class replaces the existing classes. Replacement enables the administrator to audit for events in the other classes while not generating the records of the AUE_PFEXEC event.
# grep pf /etc/security/audit_class 0x08000000:pf:profile command # vi /etc/security/audit_event 116:AUE_PFEXEC:execve(2) with pfexec enabled:pf # auditconfig -setflags lo,pf user default audit flags = pf,lo(0x8001000,0x8001000)
|