These user-specific audit charactersitics that you set with this procedure are combined with the preselected classes for the system. Together they determine the user's audit mask, as described in Process Audit Characteristics.
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
# who adoe pts/1 Oct 10 10:20 (:0.0) adoe pts/2 Oct 10 10:20 (:0.0) jdoe pts/5 Oct 12 12:20 (:0.0) jdoe pts/6 Oct 12 12:20 (:0.0) ...
# userattr audit_flags adoe # userattr audit_flags jdoe
For example, you can create a rights profile that defines the rights of a subset of your users. Users who are assigned that rights profile are audited identically.
# usermod -K audit_flags=fw:no jdoe
The format of the audit_flags keyword is always-audit:never-audit.
Lists the audit classes that are audited for this user. Modifications to the system-wide classes are prefixed by a caret (^). Classes that are added to the system-wide classes are not prefixed by a caret.
Lists the audit classes that are never audited for the user, even if these audit events are audited system-wide. Modifications to the system-wide classes are prefixed by a caret (^).
To specify multiple audit classes, separate the classes with commas. For more information, see the audit_flags (5) man page.
# profiles -p "System Administrator" profiles:System Administrator> set name="Audited System Administrator" profiles:Audited System Administrator> set always_audit=fw,as profiles:Audited System Administrator> end profiles:Audited System Administrator> exit
When you assign the Audited System Administrator rights profile to a user or a role, that user or role is audited for those flags, subject to search order as described in Order of Search for Assigned Rights in Securing Users and Processes in Oracle Solaris 11.2 .
In this example, the audit preselection mask for all users is the following:
# auditconfig -getflags active user default audit flags = ss,lo(0x11000,0x11000) configured user default audit flags = ss,lo(0x11000,0x11000)
No user except the administrator is logged in.
To lessen the impact of the AUE_PFEXEC audit event on system resources, the administrator does not audit this event at the system level. Rather, the administrator preselects the pf class for a user, jdoe. The pf class is created in Example 3–15.
# usermod -K audit_flags=pf:no jdoe
The userattr command shows the addition.
# userattr audit_flags jdoe pf:no
When the user jdoe logs in, jdoe's audit preselection mask is a combination of the audit_flags values with the system default values. 289 is the PID of jdoe's login shell.
# auditconfig -getpinfo 289 audit id = jdoe(1234) process preselection mask = ss,pf,lo(0x0100000008011000,0x0100000008011000) terminal id (maj,min,host) = 242,511,example1(192.168.160.171) audit session id = 103203403Example 3-6 Modifying Audit Preselection Exception for One User
In this example, the audit preselection mask for all users is the following:
# auditconfig -getflags active user default audit flags = ss,lo(0x11000,0x11000) configured user default audit flags = ss,lo(0x11000,0x11000)
No users except the administrator are logged in.
The administrator decides not to collect failed ss events for the jdoe user.
# usermod -K audit_flags=^-ss:no jdoe
The userattr command shows the exception.
# userattr audit_flags jdoe ^-ss:no
When the user jdoe logs in, jdoe's audit preselection mask is a combination of the audit_flags values with the system default values. 289 is the PID of jdoe's login shell.
# auditconfig -getpinfo 289 audit id = jdoe(1234) process preselection mask = +ss,lo(0x11000,0x1000) terminal id (maj,min,host) = 242,511,example1(192.168.160.171) audit session id = 103203403Example 3-7 Auditing Selected Users, No System-Wide Auditing
In this example, the login and role activities of four selected users are audited on the system. No audit classes are preselected for the system.
First, the administrator removes all system-wide flags.
# auditconfig -setflags no user default audit flags = no(0x0,0x0)
Then, the administrator preselects two audit classes for the four users. The pf class is created in Example 3–15.
# usermod -K audit_flags=lo,pf:no jdoe # usermod -K audit_flags=lo,pf:no kdoe # usermod -K audit_flags=lo,pf:no pdoe # usermod -K audit_flags=lo,pf:no zdoe
Then, the administrator preselects the pf class for the root role.
# userattr audit_flags root # rolemod -K audit_flags=lo,pf:no root # userattr audit_flags root lo,pf:no
To continue to record unwarranted intrusion, the administrator does not change the auditing of non-attributable logins.
# auditconfig -getnaflags active non-attributable audit flags = lo(0x1000,0x1000) configured non-attributable audit flags = lo(0x1000,0x1000)Example 3-8 Removing a User's Audit Flags
In the following example, the administrator removes all user-specific audit flags. Existing processes of users who are currently logged in continue to be audited.
The administrator runs the usermod command with the audit_flags keyword set to no value.
# usermod -K audit_flags= jdoe # usermod -K audit_flags= kdoe # usermod -K audit_flags= ldoe
Then, the administrator verifies the removal.
# userattr audit_flags jdoe # userattr audit_flags kdoe # userattr audit_flags ldoeExample 3-9 Creating a Rights Profile for a Group of Users
The administrator wants all administrative rights profiles at the site to explicitly audit the pf class. For every rights profile that is going to be assigned, the administrator creates a site-specific version in LDAP that includes audit flags.
First, the administrator clones an existing rights profile, then changes the name and adds audit flags.
# profiles -p "Network Wifi Management" -S ldap profiles: Network Wifi Management> set name="Wifi Management" profiles: Wifi Management> set desc="Audited wifi management" profiles: Wifi Management> set audit_always=pf profiles: Wifi Management> exit
After repeating this procedure for every rights profile that is going to be used, the administrator lists the information in the Wifi Management profile.
# profiles -p "Wifi Management" -S ldap info name=Wifi Management desc=Audited wifi management auths=solaris.network.wifi.config help=RtNetWifiMngmnt.html always_audit=pf