JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
System Administration Guide: Security Services     Oracle Solaris 10 8/11 Information Library
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Controlling Access to Devices (Tasks)

5.  Using the Basic Audit Reporting Tool (Tasks)

6.  Controlling Access to Files (Tasks)

7.  Using the Automated Security Enhancement Tool (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Role-Based Access Control (Reference)

11.  Privileges (Tasks)

12.  Privileges (Reference)

Part IV Cryptographic Services

13.  Oracle Solaris Cryptographic Framework (Overview)

14.  Oracle Solaris Cryptographic Framework (Tasks)

15.  Oracle Solaris Key Management Framework

Part V Authentication Services and Secure Communication

16.  Using Authentication Services (Tasks)

17.  Using PAM

18.  Using SASL

19.  Using Oracle Solaris Secure Shell (Tasks)

20.  Oracle Solaris Secure Shell (Reference)

Part VI Kerberos Service

21.  Introduction to the Kerberos Service

22.  Planning for the Kerberos Service

23.  Configuring the Kerberos Service (Tasks)

24.  Kerberos Error Messages and Troubleshooting

25.  Administering Kerberos Principals and Policies (Tasks)

26.  Using Kerberos Applications (Tasks)

27.  The Kerberos Service (Reference)

Part VII Oracle Solaris Auditing

28.  Oracle Solaris Auditing (Overview)

29.  Planning for Oracle Solaris Auditing

30.  Managing Oracle Solaris Auditing (Tasks)

Oracle Solaris Auditing (Task Map)

Configuring Audit Files (Task Map)

Configuring Audit Files (Tasks)

How to Modify the audit_control File

How to Configure syslog Audit Logs

How to Change a User's Audit Characteristics

How to Add an Audit Class

How to Change an Audit Event's Class Membership

Configuring and Enabling the Audit Service (Task Map)

Configuring and Enabling the Audit Service (Tasks)

How to Create Partitions for Audit Files

How to Configure the audit_warn Email Alias

How to Configure Audit Policy

How to Enable the Audit Service

How to Disable the Audit Service

How to Update the Audit Service

Configuring the Audit Service in Zones (Tasks)

How to Configure All Zones Identically for Auditing

How to Configure Per-Zone Auditing

Managing Audit Records (Task Map)

Managing Audit Records

How to Display Audit Record Formats

How to Merge Audit Files From the Audit Trail

How to Select Audit Events From the Audit Trail

How to View the Contents of Binary Audit Files

How to Clean Up a not_terminated Audit File

How to Prevent Audit Trail Overflow

Troubleshooting Oracle Solaris Auditing (Tasks)

Troubleshooting Oracle Solaris Auditing (Task Map)

How to Determine That Oracle Solaris Auditing Is Running

How to Lessen the Volume of Audit Records That Are Produced

How to Audit All Commands by Users

How to Find Audit Records of Changes to Specific Files

How to Modify a User's Preselection Mask

How to Prevent the Auditing of Certain Events

How to Limit the Size of Binary Audit Files

How to Audit Logins From Other OSes

How to Audit FTP and SFTP File Transfers

31.  Oracle Solaris Auditing (Reference)

Glossary

Index

Configuring Audit Files (Tasks)

Before you enable auditing on your network, you can customize the audit configuration files for your site auditing requirements. You can also restart the audit service or reboot the local system to read changed configuration files after the audit service has been enabled. However, the recommended practice is to customize your audit configuration as much as possible before you start the audit service.

If you have implemented zones, you can choose to audit all zones from the global zone. To differentiate between zones in the audit output, you can set the zonename policy option. Alternatively, to audit non-global zones individually, you can set the perzone policy in the global zone and customize the audit configuration files in the non-global zones. For an overview, see Auditing and Oracle Solaris Zones. For planning, see How to Plan Auditing in Zones. For procedures, see Configuring the Audit Service in Zones (Tasks).

How to Modify the audit_control File

The /etc/security/audit_control file configures system-wide auditing. The file determines which events are audited, when audit warnings are issued, and the location of the audit files.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. (Optional) Save a backup copy of the audit_control file.
    # cp /etc/security/audit_control /etc/security/audit_control.orig
  3. Modify the audit_control file for your site.

    Each entry has the following format:

    keyword:value
    keyword

    Defines the type of line. The types are dir, flags, minfree, naflags, and plugin. In the Solaris 10 release, the dir and minfree lines are deprecated.

    For explanations of the keywords, see the following examples.

    value

    Specifies data that is associated with the line type.


    Note - To specify the locations of audit directories, use the p_dir attribute to the audit_binfile.so plugin. To specify the minimum free space, use the p_minfree attribute.


  4. (Optional) Verify the syntax of the file.
    # audit -v /etc/security/audit_control
    syntax ok

Example 30-1 Preselecting Audit Classes for All Users

The flags line in the audit_control file defines which classes of attributable events are audited for all users on the system. The classes are separated by commas. White space is allowed. In this example, the events in the lo and ap classes are audited for all users.

## audit_control file
flags:lo,ap
naflags:lo
plugin:name=...

To see which events are assigned to a class, read the audit_event file. You can also use the bsmrecord command, as shown in Example 30-27.

Example 30-2 Preselecting Nonattributable Events

In this example, all events in the na class, and all login events that are not attributable, are audited.

## audit_control file
flags:lo
naflags:lo,na
plugin:name=...

Example 30-3 Specifying the Location of Binary Audit Data

The p_dir flag to the audit_binfile.so plugin lists which audit file systems to use for binary audit data. In this example, three locations for binary audit data are defined. The directories are listed in order from the primary directory to the directory of last resort. The plugin line does not contain a line break.

## audit_control file
##
flags:lo
naflags:lo,na
plugin:name=audit_binfile.so; p_dir=/var/audit/egret.1/files,
/var/audit/egret.2/files,/var/audit

To set up file systems to hold audit binary audit data, see How to Create Partitions for Audit Files.

Example 30-4 Changing the Soft Limit for Warnings

In this example, the minimum free-space level for all audit file systems is set so that a warning is issued when only 10 percent of the file system is available.

The plugin line does not contain a line break.

## audit_control file
#
flags:lo
naflags:lo,na
plugin:name=audit_binfile.so; p_dir=/var/audit/examplehost.1/files,
/var/audit/examplehost.2/files,/var/audit/localhost/files; p_minfree=10

The audit_warn alias receives the warning. To set up the alias, see How to Configure the audit_warn Email Alias.

How to Configure syslog Audit Logs

You can instruct the audit service to copy some or all of the collected audit records in the audit queue to syslog. In the following procedure, you save binary audit data and text audit data. The collected text audit data is a subset of the binary data.

Before You Begin

You must preselect audit classes. Preselected audit classes are specified in the flags line and the naflags line of the audit_control file. You can also preselect classes for individual users in the audit_user file and dynamically add audit classes with the auditconfig command.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. (Optional) Save a backup copy of the audit_control file.
    # cp /etc/security/audit_control /etc/security/audit_control.save
  3. Add an audit_syslog.so plugin entry.
    ## audit_control file
    flags:lo,ss
    naflags:lo,na
    plugin:name=audit_binfile.so;p_dir=/var/audit; p_minfree=20;
    plugin:name=audit_syslog.so;p_flags=+lo,-ss

    A plugin entry has the following format:

    plugin:name=name; qsize=max-queued-records;p_*=value
    • name=name – Lists the name of the plugin. The valid values are audit_binfile.so and audit_syslog.so.

    • qsize=max-queued-records – Specifies the maximum number of records to queue for audit data that is being sent to the plugin. This attribute is optional.

    • p_*=value – Specifies plugin-specific attributes. The audit_syslog.so plugin accepts p_flags. The audit_binfile.so plugin accepts p_dir, p_minfree and p_fsize. The p_fsize attribute was introduced in Solaris 10 10/08.

    For more information about the plugin-specific attributes, see the OBJECT ATTRIBUTES section of the audit_binfile(5) and audit_syslog(5) man pages.

  4. Add an audit.notice entry to the syslog.conf file.

    The entry includes the location of the log file.

    # cat /etc/syslog.conf
    …
    audit.notice       /var/adm/auditlog

    Do not store text logs where the binary audit files are stored. The auditreduce command, which reads binary audit files, assumes that all files in an audit partition are binary audit files.

  5. Create the log file.
    # touch /var/adm/auditlog
  6. Refresh the configuration information for the syslog service.
    # svcadm refresh system/system-log
  7. Regularly archive the syslog log files.

    The audit service can generate extensive output. To manage the logs, see the logadm(1M) man page.

Example 30-5 Specifying Audit Classes for syslog Output

In the following example, the syslog utility collects a subset of the preselected audit classes.

## audit_user file
jdoe:pf
## audit_control file
flags:lo,ss
naflags:lo,na
plugin:name=audit_binfile.so; p_dir=/var/audit/host.1/files,
/var/audit/host.2/files,/var/audit/localhost/files; p_minfree=10
plugin:name=audit_syslog.so; p_flags=-lo,-na,-ss,+pf

The flags and naflags entries instruct the system to collect all login/logout, nonattributable, and change of system state audit records in binary format. The audit_syslog.so plugin entry instructs the syslog utility to collect only failed logins, failed nonattributable events, and failed changes of system state. For the jdoe user, the binary audit record includes all uses of a profile-aware shell. The syslog utility collects successful profile-aware commands. The pf class is created in Example 30-10.

Example 30-6 Putting syslog Audit Records on a Remote System

You can change the audit.notice entry in the syslog.conf file to point to a remote system. In this example, the name of the local system is example1. The remote system is remote1.

example1 # cat /etc/syslog.conf
…
audit.notice       @remote1

The audit.notice entry in the syslog.conf file on the remote1 system points to the log file.

remote1 # cat /etc/syslog.conf
…
audit.notice       /var/adm/auditlog

Example 30-7 Using Plugins in the audit_control File

The preferred method for specifying non-flags information in the audit_control file is to use the plugin entry. In this example, the audit flags are selected, then the plugin information is listed.

## audit_control file
flags:lo,ss
naflags:lo,na
plugin:name=audit_binfile.so;p_minfree=10; p_dir=/var/audit
plugin:name=audit_syslog.so; p_flags=+lo

How to Change a User's Audit Characteristics

Definitions for each user are stored in the audit_user database. These definitions modify, for the specified user, the preselected classes in the audit_control file. The nsswitch.conf file determines if a local file or if a naming service database is used. To calculate the user's final audit preselection mask, see Proscess Audit Characteristics.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. (Optional) Save a backup copy of the audit_user database.
    # cp /etc/security/audit_user /etc/security/audit_user.orig
  3. Add new entries to the audit_user database.

    In the local database, each entry has the following format:

    username:always-audit:never-audit
    username

    Selects the name of the user to be audited.

    always-audit

    Selects the list of audit classes that should always be audited for the specified user.

    never-audit

    Selects the list of audit classes that should never be audited for the specified user.

    You can specify multiple classes by separating the audit classes with commas.

    The audit_user entries are in effect at the user's next login.

Example 30-8 Changing Which Events Are Audited for One User

In this example, the audit_control file contains the preselected audit classes for the system:

## audit_control file
…
flags:lo,ss
naflags:lo,na

The audit_user file shows an exception. When the user jdoe uses a profile shell, that use is audited:

## audit_user file
jdoe:pf

The audit preselection mask for jdoe is a combination of the audit_user settings with the audit_control settings. The auditconfig -getaudit command shows the preselection mask for jdoe:

# auditconfig -getaudit
audit id = jdoe(1234567)
process preselection mask = ss,pf,lo(0x13000,0x13000)
terminal id (maj,min,host) = 242,511,example1(192.168.160.171)
audit session id = 2138517656

Example 30-9 Auditing Users Only, Not the System

In this example, the login and role activities of four users only are audited on this system. The audit_control file does not preselect audit classes for the system.

## audit_control file
…
flags:
naflags:

The audit_user file preselects two audit classes for four users, as follows:

## audit_user file
jdoe:lo,pf
kdoe:lo,pf
pdoe:lo,pf
sdoe:lo,pf

The following audit_control file records unwarranted intrusion. In combination with the audit_user file, this file protects the system more than the first audit_control file in this example.

## audit_control file
…
flags:
naflags:lo
plugin:name=...

How to Add an Audit Class

When you create your own audit class, you can place into it just those audit events that you want to audit for your site. When you add the class on one system, you should copy the change to all systems that are being audited.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. (Optional) Save a backup copy of the audit_class file.
    # cp /etc/security/audit_class /etc/security/audit_class.orig
  3. Add new entries to the audit_class file.

    Each entry has the following format:

    0xnumber:name:description
    0x

    Identifies number as hexadecimal.

    number

    Defines the unique audit class mask.

    name

    Defines the letter name of the audit class.

    description

    Defines the descriptive name of the audit class.

    The entry must be unique in the file. Do not use existing audit class masks.

Example 30-10 Creating a New Audit Class

This example creates a class to hold a small set of audit events. The added entry to the audit_class file is as follows:

0x10000000:pf:profile command

The entry creates a new audit class that is called pf. Example 30-11 populates the new audit class.

Troubleshooting

If you have customized the audit_class file, make sure that any modifications to audit_user are consistent with the new audit classes. Errors occur when the audit classes in audit_user are not a subset of the audit_class database.

How to Change an Audit Event's Class Membership

You might want to change an audit event's class membership to reduce the size of an existing audit class, or to place the event in a class of its own. When you reconfigure audit event-class mappings on one system, you should copy the change to all systems that are being audited.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. (Optional) Save a backup copy of the audit_event file.
    # cp /etc/security/audit_event /etc/security/audit_event.orig
  3. Change the class to which particular events belong by changing the class-list of the events.

    Each entry has the following format:

    number:name:description:class-list
    number

    Is the audit event ID.

    name

    Is the name of the audit event.

    description

    Typically, the system call or executable that triggers the creation of an audit record.

    class-list

    Is a comma-separated list of audit classes.

Example 30-11 Mapping Existing Audit Events to a New Class

This example maps an existing audit event to the new class that was created in Example 30-10. In the audit_control file, the binary audit record captures successes and failures of events in the pf class. The syslog audit log contains only failures of events in the pf class.

# grep pf | /etc/security/audit_class
0x10000000:pf:profile command
# vi /etc/security/audit_event
6180:AUE_prof_cmd:profile command:ua,as,pf
# vi audit_control
...
flags:lo,pf
plugin:name=audit_binfile.so; p_dir=/var/audit; p_minfree=10
plugin:name=audit_syslog.so; p_flags=-lo,-pf

Example 30-12 Auditing the Use of setuid Programs

This example creates a class to hold events that monitor calls to the setuid and setgid programs. The binary audit record captures successes and failures of events in the lo and na classes, and the successes of events in the st class. The syslog audit log contains only successes of events in the st class.

# vi /etc/security/audit_class
0x00000800:st:setuid class
# vi /etc/security/audit_event
26:AUE_SETGROUPS:setgroups(2):st
27:AUE_SETPGRP:setpgrp(2):st
40:AUE_SETREUID:setreuid(2):st
41:AUE_SETREGID:setregid(2):st
214:AUE_SETEGID:setegid(2):st
215:AUE_SETEUID:seteuid(2):st

# vi audit_control
## audit_control file
flags:lo,+st
naflags:lo,na
plugin:name=audit_binfile.so; p_dir=/var/audit; p_minfree=10
plugin:name=audit_syslog.so; p_flags=-lo,+st