Managing Auditing in Oracle^® Solaris 11.4

How to Configure All Zones Identically for Auditing

This procedure enables audits of every zone identically. This method requires the least computer overhead and administrative resources.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

1. Configure the global zone for auditing.

   Complete the tasks in Configuring the Audit Service, with the following exceptions:

   • Do not enable the perzone audit policy.

   • Set the zonename policy. This policy adds the name of the zone to every audit record.

     # auditconfig -setpolicy +zonename

2. If you modified audit configuration files, copy them from the global zone to every non-global zone.

   If you modified the audit_class or audit_event file, copy it in one of two ways:

   ---

   Note -  The non-global zone must be running.

   ---

   • Mount the changed audit_class and audit_event files as a loopback file system (lofs).
     1. From the global zone, halt the non-global zone.

        # zoneadm -z non-global-zone halt

     2. Create a read-only loopback mount for every audit configuration file that you modified in the global zone.

        # zonecfg -z non-global-zone
        zone: add fs
        zone/fs: set special=/etc/security/audit-file
        zone/fs: set dir=/etc/security/audit-file
        zone/fs: set type=lofs
        zone/fs: add options [ro,nodevices,nosetuid]
        zone/fs: commit
        zone/fs: end
        zone: exit
        #

     3. To make the changes effective, boot the non-global zone.

        # zoneadm -z non-global-zone boot

        Later, if you modify an audit configuration file in the global zone, you reboot each zone to refresh the loopback-mounted files in the non-global zones.

   • Copy the files.
     1. From the global zone, list the /etc/security directory in each non-global zone.

        # ls /zone/zonename/root/etc/security/

     2. Copy the changed audit_class and audit_event files to each zone's /etc/security directory.

        # cp /etc/security/audit-file /zone/zonename/root/etc/security/audit-file

        Later, if you change one of these files in the global zone, you must copy the changed file to the non-global zones.

Example 16  Mounting Audit Configuration Files as Loopback Mounts in a Zone

In this example, the system administrator has modified the audit_class, audit_event, and audit_warn files.

The audit_warn file is read in the global zone only, so does not have to be mounted into the non-global zones.

On this system, machine1, the administrator has created two non-global zones, machine1–webserver and machine1–appserver. The administrator has finished modifying the audit configuration files. If the administrator later modifies the files, the zone must be rebooted to re-read the loopback mounts.

# zoneadm -z machine1-webserver halt
# zoneadm -z machine1-appserver halt
# zonecfg -z machine1-webserver
webserver: add fs
webserver/fs: set special=/etc/security/audit_class
webserver/fs: set dir=/etc/security/audit_class
webserver/fs: set type=lofs
webserver/fs: add options [ro,nodevices,nosetuid]
webserver/fs: commit
webserver/fs: end
webserver: add fs
webserver/fs: set special=/etc/security/audit_event
webserver/fs: set dir=/etc/security/audit_event
webserver/fs: set type=lofs
webserver/fs: add options [ro,nodevices,nosetuid]
webserver/fs: commit
webserver/fs: end
webserver: exit
#

# zonecfg -z machine1-appserver
appserver: add fs
appserver/fs: set special=/etc/security/audit_class
appserver/fs: set dir=/etc/security/audit_class
appserver/fs: set type=lofs
appserver/fs: add options [ro,nodevices,nosetuid]
appserver/fs: commit
appserver/fs: end
appserver: exit

When the non-global zones are rebooted, the audit_class and audit_event files are read-only in the zones.