Example: Configuring Oracle Solaris Auditing

This section provides an example of how you configure and implement Oracle Solaris auditing. It begins with the configuration of different attributes of the service according to specific needs and requirements. After configuration is completed, the audit service is started to effect the configuration settings. Each time that you need to revise an existing audit configuration to accommodate new requirements, follow the same sequence of actions in this example:

1. Configure the audit parameters.

2. Refresh the audit service.

3. Verify the new audit configuration.

• First, the administrator adds a temporary policy.

  # auditconfig -t -setpolicy +zonename
  # auditconfig -getpolicy
  configured audit policies = ahlt,arge,argv,perzone
  active audit policies = ahlt,arge,argv,perzone,zonename

• Then, the administrator specifies queue controls.

  # auditconfig -setqctrl 200 20 0 0
  # auditconfig -getqctrl
  configured audit queue hiwater mark (records) = 200
  configured audit queue lowater mark (records) = 20
  configured audit queue buffer size (bytes) = 8192
  configured audit queue delay (ticks) = 20
  active audit queue hiwater mark (records) = 200
  active audit queue lowater mark (records) = 20
  active audit queue buffer size (bytes) = 8192
  active audit queue delay (ticks) = 20

• Then, the administrator specifies plugin attributes.

  • For the audit_binfile plugin, the administrator removes the qsize value.

    # auditconfig -getplugin audit_binfile
    Plugin: audit_binfile
    Attributes: p_dir=/audit/sys1.1,/var/audit;
    p_minfree=2;p_fsize=4G;
    Queue size: 200
    # auditconfig -setplugin audit_binfile  "" 0
    # auditconfig -getplugin audit_binfile
    Plugin: audit_binfile
    Attributes: p_dir=/audit/sys1.1,/var/audit
    p_minfree=2;p_fsize=4G;

  • For the audit_syslog plugin, the administrator specifies that successful login and logout events and failed executables be sent to syslog. The qsize for this plugin is set to 150.

    # auditconfig -setplugin audit_syslog active p_flags=+lo,-ex 150
    # auditconfig -getplugin audit_syslog
    auditconfig -getplugin audit_syslog
    Plugin: audit_syslog
    Attributes: p_flags=+lo,-ex;
    Queue size: 150

  • The administrator does not configure or use the audit_remote plugin.

• Then, the administrator refreshes the audit service and verifies the configuration.

  • The temporary zonename policy is no longer set.

    # audit -s
    # auditconfig -getpolicy
    configured audit policies = ahlt,arge,argv,perzone
    active audit policies = ahlt,arge,argv,perzone

  • The queue controls remain the same.

    # auditconfig -getqctrl
    configured audit queue hiwater mark (records) = 200
    configured audit queue lowater mark (records) = 20
    configured audit queue buffer size (bytes) = 8192
    configured audit queue delay (ticks) = 20
    active audit queue hiwater mark (records) = 200
    active audit queue lowater mark (records) = 20
    active audit queue buffer size (bytes) = 8192
    active audit queue delay (ticks) = 20

  • The audit_binfile plugin does not have a specified queue size. The audit_syslog plugin has a specified queue size.

    # auditconfig -getplugin
    Plugin: audit_binfile
    Attributes: p_dir=/var/audit;p_fsize=4G;p_minfree=2;
    
    Plugin: audit_syslog
    Attributes: p_flags=+lo,-ex;
    Queue size: 50
    ...