Skip Navigation Links | |
Exit Print View | |
Trusted Extensions Administrator's Procedures Oracle Solaris 10 1/13 Information Library |
1. Trusted Extensions Administration Concepts
2. Trusted Extensions Administration Tools
3. Getting Started as a Trusted Extensions Administrator (Tasks)
4. Security Requirements on a Trusted Extensions System (Overview)
5. Administering Security Requirements in Trusted Extensions (Tasks)
6. Users, Rights, and Roles in Trusted Extensions (Overview)
7. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
8. Remote Administration in Trusted Extensions (Tasks)
9. Trusted Extensions and LDAP (Overview)
10. Managing Zones in Trusted Extensions (Tasks)
11. Managing and Mounting Files in Trusted Extensions (Tasks)
12. Trusted Networking (Overview)
13. Managing Networks in Trusted Extensions (Tasks)
14. Multilevel Mail in Trusted Extensions (Overview)
15. Managing Labeled Printing (Tasks)
16. Devices in Trusted Extensions (Overview)
17. Managing Devices for Trusted Extensions (Tasks)
18. Trusted Extensions Auditing (Overview)
Trusted Extensions and Auditing
Audit Management by Role in Trusted Extensions
Role Setup for Audit Administration
Audit Tasks in Trusted Extensions
Audit Tasks of the Security Administrator
Audit Tasks of the System Administrator
Trusted Extensions Audit Reference
Trusted Extensions Audit Classes
Trusted Extensions Audit Events
Trusted Extensions Audit Tokens
19. Software Management in Trusted Extensions (Tasks)
A. Quick Reference to Trusted Extensions Administration
Trusted Extensions software adds audit classes, audit events, audit tokens, and audit policy options to the Oracle Solaris OS. Several auditing commands are extended to handle labels. The following figure shows a typical Trusted Extensions kernel audit record and user-level audit record.
Figure 18-1 Typical Audit Record Structures on a Labeled System
The audit classes that Trusted Extensions software adds to the Oracle Solaris OS are listed alphabetically in the following table. The classes are listed in the /etc/security/audit_class file. For more information about audit classes, see the audit_class(4) man page.
Table 18-1 X Server Audit Classes
|
The X server audit events are mapped to these classes according to the following criteria:
xc – This class audits server objects for creation or for destruction. For example, this class audits CreateWindow().
xp – This class audits for use of privilege. Privilege use can be successful or unsuccessful. For example, ChangeWindowAttributes() is audited when a client attempts to change the attributes of another client's window. This class also includes administrative routines such as SetAccessControl().
xs – This class audits routines that do not return X error messages to clients on failure when security attributes cause the failure. For example, GetImage() does not return a BadWindow error if it cannot read from a window for lack of privilege.
These events should be selected for audit on success only. When xs events are selected for failure, the audit trail fills with irrelevant records.
xx – This class includes all of the X audit classes.
Trusted Extensions software adds audit events to the system. The new audit events and the audit classes to which the events belong are listed in the /etc/security/audit_event file. The audit event numbers for Trusted Extensions are between 9000 and 10000. For more information about audit events, see the audit_event(4) man page.
The audit tokens that Trusted Extensions software adds to the Oracle Solaris OS are listed alphabetically in the following table. The tokens are also listed in the audit.log(4) man page.
Table 18-2 Trusted Extensions Audit Tokens
|
The label token contains a sensitivity label. This token contains the following fields:
A token ID
A sensitivity label
The following figure shows the token format.
Figure 18-2 label Token Format
A label token is displayed by the praudit command as follows:
sensitivity label,ADMIN_LOW
The xatom token contains information concerning an X atom. This token contains the following fields:
A token ID
The string length
A text string that identifies the atom
An xatom token is displayed by praudit as follows:
X atom,_DT_SAVE_MODE
The xclient token contains information concerning the X client. This token contains the following fields:
A token ID
The client ID
An xclient token is displayed by praudit as follows:
X client,15
The xcolormap token contains information about the colormaps. This token contains the following fields:
A token ID
The X server identifier
The creator's user ID
The following figure shows the token format.
Figure 18-3 Format for xcolormap, xcursor, xfont, xgc, xpixmap, and xwindow Tokens
An xcolormap token is displayed by praudit as follows:
X color map,0x08c00005,srv
The xcursor token contains information about the cursors. This token contains the following fields:
A token ID
The X server identifier
The creator's user ID
Figure 18-3 shows the token format.
An xcursor token is displayed by praudit as follows:
X cursor,0x0f400006,srv
The xfont token contains information about the fonts. This token contains the following fields:
A token ID
The X server identifier
The creator's user ID
Figure 18-3 shows the token format.
An xfont token is displayed by praudit as follows:
X font,0x08c00001,srv
The xgc token contains information about the xgc. This token contains the following fields:
A token ID
The X server identifier
The creator's user ID
Figure 18-3 shows the token format.
An xgc token is displayed by praudit as follows:
Xgraphic context,0x002f2ca0,srv
The xpixmap token contains information about the pixel mappings. This token contains the following fields:
A token ID
The X server identifier
The creator's user ID
Figure 18-3 shows the token format.
An xpixmap token is displayed by praudit as follows:
X pixmap,0x08c00005,srv
The xproperty token contains information about various properties of a window. This token contains the following fields:
A token ID
The X server identifier
The creator's user ID
A string length
A text string that identifies the atom
The following figure shows an xproperty token format.
Figure 18-4 xproperty Token Format
An xproperty token is displayed by praudit as follows:
X property,0x000075d5,root,_MOTIF_DEFAULT_BINDINGS
The xselect token contains the data that is moved between windows. This data is a byte stream with no assumed internal structure and a property string. This token contains the following fields:
A token ID
The length of the property string
The property string
The length of the property type
The property type string
A length field that gives the number of bytes of data
A byte string that contains the data
The following figure shows the token format.
Figure 18-5 xselect Token Format
An xselect token is displayed by praudit as follows:
X selection,entryfield,halogen
The xwindow token contains information about a window. This token contains the following fields:
A token ID
The X server identifier
The creator's user ID
Figure 18-3 shows the token format.
An xwindow token is displayed by praudit as follows:
X window,0x07400001,srv
Trusted Extensions adds two audit policy options to existing Oracle Solaris auditing policy options. List the policies to see the additions:
$ auditconfig -lspolicy ... windata_down Include downgraded window information in audit records windata_up Include upgraded window information in audit records ...
The auditconfig, auditreduce, and bsmrecord commands are extended to handle Trusted Extensions information:
The auditconfig command includes the Trusted Extensions audit policies. For details, see the auditconfig(1M) man page.
The auditreduce command adds the -l option for filtering records according to the label. For details, see the auditreduce(1M) man page.
The bsmrecord command includes the Trusted Extensions audit events. For details, see the bsmrecord(1M) man page.