This chapter presents procedures to help you set up and manage a Solaris system that is audited. This chapter also includes instructions for administering the audit trail. The following is a list of the information in this chapter.
For an overview of the audit service, see Chapter 28, Solaris Auditing (Overview). For planning suggestions, see Chapter 29, Planning for Solaris Auditing. For reference information, see Chapter 31, Solaris Auditing (Reference).
The following task map points to the major tasks that are required to manage auditing. The tasks are ordered.
Task |
Description |
For Instructions |
---|---|---|
1. Plan for auditing |
Contains configuration issues to decide before you configure the audit service. | |
2. Configure audit files |
Defines which events, classes, and users require auditing. | |
3. Configure and enable auditing |
Configures each host for disk space and other audit service requirements. Then, starts the audit service. | |
On a host that has installed non-global zones, configure one audit service for the system, or one audit service per zone. | ||
4. Manage audit records |
Collects and analyzes the audit data. |
The following task map points to the procedures for configuring files to customize auditing at your site. Most of the tasks are optional.
Before you enable auditing on your network, you can customize the audit configuration files for your site auditing requirements. You can also restart the audit service or reboot the local system to read changed configuration files after the audit service has been enabled. However, the recommended practice is to customize your audit configuration as much as possible before you start the audit service.
If you have implemented zones, you can choose to audit all zones from the global zone. To differentiate between zones in the audit output, you can set the zonename policy option. Alternatively, to audit non-global zones individually, you can set the perzone policy in the global zone and customize the audit configuration files in the non-global zones. For an overview, see Auditing and Solaris Zones. For planning, see How to Plan Auditing in Zones. For procedures, see Configuring the Audit Service in Zones (Tasks).
The /etc/security/audit_control file configures system-wide auditing. The file determines which events are audited, when audit warnings are issued, and the location of the audit files.
Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
(Optional) Save a backup copy of the audit_control file.
# cp /etc/security/audit_control /etc/security/audit_control.orig |
Modify the audit_control file for your site.
Each entry has the following format:
keyword:value |
Defines the type of line. The types are flags, naflags, and plugin.
For explanations of the keywords, see the following examples.
Specifies data that is associated with the line type.
To specify the locations of audit directories, use the p_dir attribute to the audit_binfile.so plugin. To specify the minimum free space, use the p_minfree attribute.
(Optional) Verify the syntax of the file.
# audit -v /etc/security/audit_control syntax ok |
The flags line in the audit_control file defines which classes of attributable events are audited for all users on the system. The classes are separated by commas. White space is allowed. In this example, the events in the lo and ap classes are audited for all users.
## audit_control file flags:lo,ap naflags:lo plugin:name=... |
To see which events are assigned to a class, read the audit_event file. You can also use the auditrecordcommand, as shown in Example 30–24.
In this example, all events in the na class, and all login events that are not attributable, are audited.
## audit_control file flags:lo naflags:lo,na plugin:name=... |
The p_dir flag to the audit_binfile.so plugin lists which audit file systems to use for binary audit data. In this example, three locations for binary audit data are defined. The directories are listed in order from the primary directory to the directory of last resort. The plugin line does not contain a line break.
## audit_control file ## flags:lo naflags:lo,na plugin:name=audit_binfile.so; p_dir=/var/audit/egret.1/files, /var/audit/egret.2/files,/var/audit |
To set up file systems to hold audit binary audit data, see How to Create Partitions for Audit Files.
In this example, the minimum free-space level for all audit file systems is set so that a warning is issued when only 10 percent of the file system is available.
The plugin line does not contain a line break.
## audit_control file # flags:lo naflags:lo,na plugin:name=audit_binfile.so; p_dir=/var/audit/examplehost.1/files, /var/audit/examplehost.2/files,/var/audit/localhost/files; p_minfree=10 |
The audit_warn alias receives the warning. To set up the alias, see How to Configure the audit_warn Email Alias.
You can instruct the audit service to copy some or all of the collected audit records in the audit queue to syslog. In the following procedure, you save binary audit data and text audit data. The collected text audit data is a subset of the binary data.
You must preselect audit classes. Preselected audit classes are specified in the flags line and the naflags line of the audit_control file. You can also preselect classes for individual users in the audit_user file and dynamically add audit classes with the auditconfig command.
Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
(Optional) Save a backup copy of the audit_control file.
# cp /etc/security/audit_control /etc/security/audit_control.save |
Add an audit_syslog.so plugin entry.
## audit_control file flags:lo,ss naflags:lo,na plugin:name=audit_binfile.so;p_dir=/var/audit; p_minfree=20; plugin:name=audit_syslog.so;p_flags=+lo,-ss |
A plugin entry has the following format:
plugin:name=name; qsize=max-queued-records;p_*=value |
name=name – Lists the name of the plugin. The valid values are audit_binfile.so and audit_syslog.so.
qsize=max-queued-records – Specifies the maximum number of records to queue for audit data that is being sent to the plugin. This attribute is optional.
p_*=value – Specifies plugin-specific attributes. The audit_syslog.so plugin accepts p_flags. The audit_binfile.so plugin accepts p_dir, p_minfree and p_fsize.
The audit_remote.so plugin accepts p_hosts, p_retries and p_timeout
For more information about the plugin-specific attributes, see the OBJECT ATTRIBUTES section of the audit_binfile(5) and audit_syslog(5) man pages. For the audit_remote.so plugin, see the audit_remote(5) man page.
Add an audit.notice entry to the syslog.conf file.
The entry includes the location of the log file.
# cat /etc/syslog.conf … audit.notice /var/adm/auditlog |
Do not store text logs where the binary audit files are stored. The auditreduce command, which reads binary audit files, assumes that all files in an audit partition are binary audit files.
Create the log file.
# touch /var/adm/auditlog |
Refresh the configuration information for the syslog service.
# svcadm refresh system/system-log |
Regularly archive the syslog log files.
The audit service can generate extensive output. To manage the logs, see the logadm(1M) man page.
In the following example, the syslog utility collects a subset of the preselected audit classes.
## audit_user file jdoe:pf |
## audit_control file flags:lo,ss naflags:lo,na plugin:name=audit_binfile.so; p_dir=/var/audit/host.1/files, /var/audit/host.2/files,/var/audit/localhost/files; p_minfree=10 plugin:name=audit_syslog.so; p_flags=-lo,-na,-ss,+pf |
The flags and naflags entries instruct the system to collect all login/logout, nonattributable, and change of system state audit records in binary format. The audit_syslog.so plugin entry instructs the syslog utility to collect only failed logins, failed nonattributable events, and failed changes of system state. For the jdoe user, the binary audit record includes all uses of a profile-aware shell. The syslog utility collects successful profile-aware commands. The pf class is created in Example 30–10.
You can change the audit.notice entry in the syslog.conf file to point to a remote system. In this example, the name of the local system is example1. The remote system is remote1.
example1 # cat /etc/syslog.conf … audit.notice @remote1 |
The audit.notice entry in the syslog.conf file on the remote1 system points to the log file.
remote1 # cat /etc/syslog.conf … audit.notice /var/adm/auditlog |
The preferred method for specifying non-flags information in the audit_control file is to use the plugin entry. In this example, the audit flags are selected, then the plugin information is listed.
## audit_control file flags:lo,ss naflags:lo,na plugin:name=audit_binfile.so;p_minfree=10; p_dir=/var/audit plugin:name=audit_syslog.so; p_flags=+lo |
Definitions for each user are stored in the audit_user database. These definitions modify, for the specified user, the preselected classes in the audit_control file. The nsswitch.conf file determines if a local file or if a naming service database is used. To calculate the user's final audit preselection mask, see Process Audit Characteristics.
Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
(Optional) Save a backup copy of the audit_user database.
# cp /etc/security/audit_user /etc/security/audit_user.orig |
Add new entries to the audit_user database.
In the local database, each entry has the following format:
username:always-audit:never-audit |
Selects the name of the user to be audited.
Selects the list of audit classes that should always be audited for the specified user.
Selects the list of audit classes that should never be audited for the specified user.
You can specify multiple classes by separating the audit classes with commas.
The audit_user entries are in effect at the user's next login.
In this example, the audit_control file contains the preselected audit classes for the system:
## audit_control file … flags:lo,ss naflags:lo,na |
The audit_user file shows an exception. When the user jdoe uses a profile shell, that use is audited:
## audit_user file jdoe:pf |
The audit preselection mask for jdoe is a combination of the audit_user settings with the audit_control settings. The auditconfig -getaudit command shows the preselection mask for jdoe:
# auditconfig -getaudit audit id = jdoe(1234567) process preselection mask = ss,pf,lo(0x13000,0x13000) terminal id (maj,min,host) = 242,511,example1(192.168.160.171) audit session id = 2138517656 |
In this example, the login and role activities of four users only are audited on this system. The audit_control file does not preselect audit classes for the system.
## audit_control file … flags: naflags: |
The audit_user file preselects two audit classes for four users, as follows:
## audit_user file jdoe:lo,pf kdoe:lo,pf pdoe:lo,pf sdoe:lo,pf |
The following audit_control file records unwarranted intrusion. In combination with the audit_user file, this file protects the system more than the first audit_control file in this example.
## audit_control file … flags: naflags:lo plugin:name=... |
When you create your own audit class, you can place into it just those audit events that you want to audit for your site. When you add the class on one system, you should copy the change to all systems that are being audited.
Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
(Optional) Save a backup copy of the audit_class file.
# cp /etc/security/audit_class /etc/security/audit_class.orig |
Add new entries to the audit_class file.
Each entry has the following format:
0xnumber:name:description |
Identifies number as hexadecimal.
Defines the unique audit class mask.
Defines the letter name of the audit class.
Defines the descriptive name of the audit class.
The entry must be unique in the file. Do not use existing audit class masks.
This example creates a class to hold a small set of audit events. The added entry to the audit_class file is as follows:
0x10000000:pf:profile command |
The entry creates a new audit class that is called pf. Example 30–11 populates the new audit class.
If you have customized the audit_class file, make sure that any modifications to audit_user are consistent with the new audit classes. Errors occur when the audit classes in audit_user are not a subset of the audit_class database.
You might want to change an audit event's class membership to reduce the size of an existing audit class, or to place the event in a class of its own. When you reconfigure audit event-class mappings on one system, you should copy the change to all systems that are being audited.
Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
(Optional) Save a backup copy of the audit_event file.
# cp /etc/security/audit_event /etc/security/audit_event.orig |
Change the class to which particular events belong by changing the class-list of the events.
Each entry has the following format:
number:name:description:class-list |
Is the audit event ID.
Is the name of the audit event.
Typically, the system call or executable that triggers the creation of an audit record.
Is a comma-separated list of audit classes.
This example maps an existing audit event to the new class that was created in Example 30–10. In the audit_control file, the binary audit record captures successes and failures of events in the pf class. The syslog audit log contains only failures of events in the pf class.
# grep pf | /etc/security/audit_class 0x10000000:pf:profile command # vi /etc/security/audit_event 6180:AUE_prof_cmd:profile command:ua,as,pf # vi audit_control ... flags:lo,pf plugin:name=audit_binfile.so; p_dir=/var/audit; p_minfree=10 plugin:name=audit_syslog.so; p_flags=-lo,-pf |
This example creates a class to hold events that monitor calls to the setuid and setgid programs. The binary audit record captures successes and failures of events in the lo and na classes, and the successes of events in the st class. The syslog audit log contains only successes of events in the st class.
# vi /etc/security/audit_class 0x00000800:st:setuid class # vi /etc/security/audit_event 26:AUE_SETGROUPS:setgroups(2):st 27:AUE_SETPGRP:setpgrp(2):st 40:AUE_SETREUID:setreuid(2):st 41:AUE_SETREGID:setregid(2):st 214:AUE_SETEGID:setegid(2):st 215:AUE_SETEUID:seteuid(2):st # vi audit_control ## audit_control file flags:lo,+st naflags:lo,na plugin:name=audit_binfile.so; p_dir=/var/audit; p_minfree=10 plugin:name=audit_syslog.so; p_flags=-lo,+st |
The following task map points to procedures for configuring and enabling the audit service. The tasks are ordered.
Task |
Description |
For Instructions |
---|---|---|
1. (Optional) Change the audit configuration files |
Selects which events, classes, and users require auditing. | |
2. Create audit partitions |
Creates disk space for the audit files, and protects them with file permissions. | |
3. Create the audit_warn alias |
Defines who should get email warnings when the audit service needs attention. | |
4. (Optional) Change audit policy |
Defines additional audit data that your site requires. | |
5. (Optional) Change audit queue parameters |
Modifies the default queue parameters. | |
6. Configure auditing in non-global zones |
Enable non-global zones to collect auditing records | |
7. Enable auditing |
Turns on the audit service. | |
When perzone auditing is turned on, enables auditing in a non-global zone. | ||
8. (Optional) Disable auditing |
Turns off the audit service. | |
When perzone auditing is turned on, disables auditing in a non-global zone. | ||
9. (Optional) Reread auditing configuration changes |
Reads audit configuration changes into the kernel while the auditd daemon is running. |
After the configuration files have been set up for your site, you need to set up disk space for your audit files. You also need to set up other attributes of the audit service, and then enable the service. This section also contains procedures to refresh the audit service when you change configuration settings.
When a non-global zone is installed, you can choose to audit the zone exactly as the global zone is being audited. Alternatively, to audit the non-global zone individually, you can modify the audit configuration files in the non-global zone. To customize audit configuration files, see Configuring Audit Files (Task Map).
The following procedure shows how to create partitions for audit files, as well as the corresponding file systems and directories. Skip steps as necessary, depending on if you already have an empty partition, or if you have already mounted an empty file system.
Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Determine the amount of disk space that is required.
Assign at least 200 Mbytes of disk space per host. However, how much auditing you require dictates the disk space requirements. So, your disk space requirements might be far greater than this figure. Remember to include a local partition for a directory of last resort.
Create a storage pool and a mirror.
For more information, see What Is ZFS? in Solaris ZFS Administration Guide.
# zpool create audit-pool mirror slice1 slice2 |
For example, create the auditf pool from two slices, and mirror them:
# zpool create auditf mirror c0t4d0 c0t5d0 |
If the local host is to be audited, also create an audit directory of last resort for the local host.
Create a mount point for the audit files.
# zpool create -o mountpoint=/mountpoint /audit-pool/mountpoint |
For example, create the /audit mount point:
# zfs create -o mountpoint=/audit auditf/audit |
Create audit directories for every set of audit files that is going to be mounted.
# zfs create auditf/audit/machine1 # zfs create auditf/audit/machine1/files # zfs create auditf/audit/machine2 # zfs create auditf/audit/machine2/files |
For example, create directories for the noddy and blinken systems:
# zfs create auditf/audit/noddy # zfs create auditf/audit/noddy/files # zfs create auditf/audit/blinken # zfs create auditf/audit/blinken/files |
Protect the mount points.
The following ZFS properties are set to off:
# zfs set devices=off auditf/audit # zfs set exec=off auditf/audit # zfs set setuid=off auditf/audit |
On a file server, define the file systems to be made available to other hosts.
# zfs set sharenfs=on audit-pool/mountpoint |
For example, share the audit pool directory:
# zfs set sharenfs=on auditf/audit |
As a result of sharing the auditf/audit directory, the following directories are shared:
/audit/noddy /audit/noddy/files /audit/blinken /audit/blinken/files |
(Optional) Remove the minimum free space threshold on the audit pool.
If you use the default configuration, a warning is generated when the directory is 80 percent full. The warning removes the reason to reserve free space on the audit pool.
# tunefs -m 0 /auditf/audit |
For example, tune the audit pool directory:
# tunefs -m 0 auditf/audit |
On a file server, restart the NFS service.
If this command is the first share command or set of share commands that you have initiated, the NFS daemons might not be running.
If the NFS service is offline, enable the service.
% svcs \*nfs\* disabled Nov_02 svc:/network/nfs/rquota:default offline Nov_02 svc:/network/nfs/server:default # svcadm enable network/nfs/server |
If the NFS service is running, restart the service.
% svcs \*nfs\* online Nov_02 svc:/network/nfs/client:default online Nov_02 svc:/network/nfs/server:default # svcadm restart network/nfs/server |
For more information about the NFS service, refer to Setting Up NFS Services in System Administration Guide: Network Services. For information on managing persistent services, see Chapter 16, Managing Services (Overview), in System Administration Guide: Basic Administration and the smf(5) man page.
The audit_warn script generates mail to an email alias that is called audit_warn. To send this mail to a valid email address, you can follow one of the options that are described in Step 2:
Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Configure the audit_warn email alias.
Choose one of the following options:
OPTION 1 – Replace the audit_warn email alias with another email account in the audit_warn script.
Change the email alias in the following line of the script:
ADDRESS=audit_warn # standard alias for audit alerts |
OPTION 2 – Redirect the audit_warn email to another mail account.
In this case, you would add the audit_warn email alias to the appropriate mail aliases file. You could add the alias to the local /etc/mail/aliases file or to the mail_aliases database in the name space. The new entry would resemble the following if the root mail account was made a member of the audit_warn email alias:
audit_warn: root |
Audit policy determines the characteristics of the audit records for the local host. When auditing is enabled, the policies that you set by using the auditconfig -setpolicy command determine the audit policy.
You can inspect and change the current audit policy options with the auditconfig command. This command can set a temporary, or active policy. An active policy is a policy that is currently used by the kernel. This command also sets persistent policy, or configured policy. Configured policy is the policy that is restored when you restart the audit service.
Assume a role that includes the Audit Control profile, or become superuser.
To create a role that includes the Audit Control profile and to assign the role to a user, see Configuring RBAC (Task Map).
To view the settings, use the auditconfig -getpolicy command:
$ auditconfig -getpolicy |
View the available policy options.
$ auditconfig -lspolicy |
The perzone and ahlt policy options can be set only in the global zone.
Enable or disable selected audit policy options.
# auditconfig [ -t ] -setpolicy prefixpolicy |
Optional. Creates a temporary, or active, policy. The policy setting is not restored when you restart the audit service.
A prefix value of + enables the policy option. A prefix value of - disables the policy option.
Selects the policy to be enabled or to be disabled.
A temporary (-t) policy is in effect until the the audit service is restarted, or until the policy is modified by the auditconfig -setpolicy command. Without the -t option, the policy setting persists across restarts of the audit service.
For a description of each policy option, see Determining Audit Policy.
In this example, the cnt policy is disabled, and the ahlt policy is enabled. With these settings, system use is halted when the audit partitions are full and an asynchronous event occurs. When a synchronous event occurs, the process that created the thread hangs. These settings are appropriate when security is more important than availability.
The following auditconfig policy commands disable the cnt policy option and enable the ahlt policy option:
# auditconfig -setpolicy -cnt # auditconfig -setpolicy +ahlt |
These settings persist until you change them.
In this example, the audit service is running and the ahlt audit policy is configured. The administrator adds the seq audit policy to the active policy, but does not configure the audit service to use the seq audit policy permanently. The seq policy is useful for debugging the audit service when audit records are corrupted, or when records are being dropped.
The + prefix adds the seq option to the audit policy, rather than replaces the current audit policy with seq. The -t option makes the policy active in the kernel.
$ auditconfig -setpolicy none $ auditconfig -getpolicy configured audit policies = none active audit policies = none $ auditconfig -setpolicy ahlt $ auditconfig -getpolicy configured audit policies = ahlt active audit policies = ahlt $ auditconfig -t -setpolicy +seq configured audit policies = ahlt,seq active audit policies = ahlt,seq |
The administrator unsets the seq policy when the debugging is completed:
$ auditconfig -setpolicy -seq $ auditconfig -getpolicy configured audit policies = ahlt active audit policies = ahlt |
In this example, the perzone audit policy is set in the global zone. When a zone boots, the non-global zone collects audit records according to the audit configuration settings in its zone. The perzone policy setting is stored as a property of the audit service, so it is in effect during the session and when the audit service is restarted.
$ auditconfig -setpolicy none $ auditconfig -getpolicy configured audit policies = none active audit policies = none $ auditconfig -setpolicy +perzone $ auditconfig -getpolicy configured audit policies = perzone active audit policies = perzone |
The audit service provides default values for audit queue parameters. You can inspect and set these values with the auditconfig command.
The auditconfig command can set a temporary, or active, value. This value is used by the kernel, but it is not set as a property of the audit service. This command also sets persistent, or configured, values. Configured values are the values that are restored when you restart the audit service.
Assume a role that includes the Audit Control profile, or become superuser.
To create a role that includes the Audit Control profile and to assign the role to a user, see Configuring RBAC (Task Map).
Review the audit queue parameter values.
To view the values, use the auditconfig -getqctrl command.
$ auditconfig -getqctrl no configured audit queue lowater mark no configured ... |
The string no configured indicates that the system is using the default settings. For a description of the audit queue parameters, see the auditconfig(1M) man page.
Modify selected audit queue parameters.
To modify all audit queue parameters, use the -setqctrl option.
# auditconfig [ -t ]-setqctrl hiwater lowater bufsz interval |
To modify a specific audit queue parameter, use the specific option, one of -setqbufsz, -setqdelay, -setqlowater, and -setqhiwater.
# auditconfig [ -t ]-setq* value |
Optional. Sets a temporary, or active, value. This value is not set as a property value of the audit service.
Are audit queue parameters.
Is a value for the audit queue parameter.
A temporary (-t) or active value is in effect until the audit service is restarted, or until the value is modified by the auditconfig [-t] -setq* command. Without the -t option, the queue parameter value is stored as a property value of the audit service.
In this example, the administrator configures the audit queue's write buffer size and wakeup interval. The administrator tunes these parameters differently in the active configuration by using the -t option.
# auditconfig -getqctrl no configured audit queue hiwater mark no configured audit queue lowater mark no configured audit queue buffer size no configured audit queue delay active audit queue hiwater mark (records) = 110 active audit queue lowater mark (records) = 30 active audit queue buffer size (bytes) = 8192 active audit queue delay (ticks) = 20 # auditconfig -setqbufsz 8192 # auditconfig -setqdelay 20 # auditconfig -t -setqbufsz 12288 # auditconfig -t -setqdelay 25 # auditconfig -getqctrl no configured audit queue lowater mark no configured audit queue hiwater mark configured audit queue buffer size (bytes) = 8192 configured audit queue delay (ticks) = 20 active audit queue hiwater mark (records) = 100 active audit queue lowater mark (records) = 10 active audit queue buffer size (bytes) = 12288 active audit queue delay (ticks) = 25 |
The administrator resets the parameters to their default values by setting them to zero.
auditconfig -setqbufsz 0 auditon(2) failed. error: Invalid argument(22) # auditconfig -setqdelay 0 auditon(2) failed. error: Invalid argument(22) # auditconfig -getqctrl no configured audit queue hiwater mark no configured audit queue lowater mark no configured audit queue buffer size no configured audit queue delay active audit queue hiwater mark (records) = 110 active audit queue lowater mark (records) = 30 active audit queue buffer size (bytes) = 12288 active audit queue delay (ticks) = 25 |
This procedure enables the audit service for all zones. To start the audit daemon in a non-global zone, see Example 30–17.
When auditing is configured securely, the system is in single-user mode until auditing is enabled. You can also enable auditing in multiuser mode.
You should perform this procedure as superuser after completing the following tasks:
Planning – Planning Solaris Auditing (Task Map)
Customizing audit files – Configuring Audit Files (Task Map)
Setting up audit partitions – How to Create Partitions for Audit Files
Setting up audit warning messages – How to Configure the audit_warn Email Alias
Setting audit policy – How to Configure Audit Policy
Run the script that enables the audit service.
Go to the /etc/security directory, and execute the bsmconv script there.
# cd /etc/security # ./bsmconv This script is used to enable the Basic Security Module (BSM). Shall we continue with the conversion now? [y/n] y bsmconv: INFO: checking startup file. bsmconv: INFO: turning on audit module. bsmconv: INFO: initializing device allocation. The Basic Security Module is ready. If there were any errors, please fix them now. Configure BSM by editing files located in /etc/security. Reboot this system now to come up with BSM enabled. |
For the effects of the script, see the bsmconv(1M) man page.
Reboot the system.
# reboot |
The auditd daemon starts the audit service when the system enters multiuser mode. The FMRI for the audit service is svc:/system/auditd:default.
Another effect of the script is to turn on device allocation. To configure device allocation, see Managing Device Allocation (Task Map).
In the following example, the global zone administrator turned on perzone policy after auditing was enabled in the global zone and after the non-global zone had booted. The zone administrator of the non-global zone has configured the audit files for the zone, and then starts the audit daemon in the zone.
zone1# svcadm enable svc:/system/auditd |
If the audit service is no longer required at some point, this procedure returns the system to the system state before auditing was enabled. If non-global zones are being audited, their audit service is also disabled.
This command also disables device allocation. Do not run this command if you want to be able to allocate devices. To disable auditing and retain device allocation, see Example 30–18.
Become superuser and bring the system into single-user mode.
% su Password: <Type root password> # init S |
For more information, see the init(1M) man page.
Run the script to disable auditing.
Change to the /etc/security directory, and execute the bsmunconv script.
# cd /etc/security # ./bsmunconv |
Another effect of the script is to disable device allocation.
For information on the full effect of the bsmunconv script, see the bsmconv(1M) man page.
Bring the system into multiuser mode.
# init 6 |
In this example, the audit service stops collecting records, but device allocation continues to work. All values from the flags, naflags, and plugin entries in the audit_control file are removed, as are all user entries in the audit_user file.
## audit_control file flags: naflags: ## audit_user file |
The auditd daemon runs, but no audit records are kept.
In this example, the audit service stops running in zone1 where the audit service is disabled. Device allocation continues to work. When this command is run in the global zone, and the perzone audit policy is not set, auditing is disabled for all zones, not just the global zone.
zone1 # audit -t |
This procedure restarts the auditd daemon when you have made changes to audit configuration files after the daemon has been running.
Assume a role that includes the Audit Control rights profile, or become superuser.
To create a role that includes the Audit Control rights profile and assign the role to a user, see Configuring RBAC (Task Map).
Choose the appropriate command.
If you modify the naflags line in the audit_control file, change the kernel mask for nonattributable events.
$ /usr/sbin/auditconfig -aconf |
You can also reboot.
If you modify other lines in the audit_control file, reread the audit_control file.
The audit daemon stores information from the audit_control file internally. To use the new information, either reboot the system or instruct the audit daemon to read the modified file.
$ /usr/sbin/audit -s |
Audit records are generated based on the audit preselection mask that is associated with each process. Executing audit -s does not change the masks in existing processes. To change the preselection mask for an existing process, you must restart the process. You can also reboot.
The audit -s command causes the audit daemon to re-read the directory and minfree values from the audit_control file. The command changes the generation of the preselection mask for processes spawned by subsequent logins.
If you modify the audit_event file or the audit_class file while the audit daemon is running, refresh the audit service.
Read the modified event-class mappings into the system, and ensure that each user who uses the machine is correctly audited.
$ auditconfig -conf $ auditconfig -setumask auid classes |
Is the user ID.
Are the preselected audit classes.
For an example, see How to Modify a User's Preselection Mask.
In this example, the system is brought down to single-user mode, then back up to multiuser mode. When the system is brought into multiuser mode, modified audit configuration files are read into the system.
# init S # init 6 |
The audit service audits the entire system, including audit events in zones. A system that has installed non-global zones can audit all zones identically, or can control auditing per zone. For background, see Auditing on a System With Zones. To plan, see How to Plan Auditing in Zones.
This procedure enables audits every zone identically. This method requires the least computer overhead and administrative resources.
Configure the global zone for auditing.
Complete the tasks in Configuring Audit Files (Task Map).
Complete the tasks in Configuring and Enabling the Audit Service (Task Map), with the following exceptions.
Do not enable perzone audit policy.
Do not enable the audit service. You enable the audit service after you have configured the non-global zones for auditing.
Copy the audit configuration files from the global zone to every non-global zone.
Copy any of the following files that you have edited: audit_class, audit_control, audit_event, audit_user. Do not copy audit_warn. You do not have to copy files that you have not edited.
You have two options. As superuser, you can copy the files, or loopback mount the files. The non-global zone must be running.
Copy the files.
From the global zone, list the /etc/security directory in the non-global zone.
# ls /zone/zonename/etc/security/ |
Copy the audit configuration files to the zone's /etc/security directory.
# cp /etc/security/audit-file /zone/zonename/etc/security/audit-file |
Later, if you modify an audit configuration file in the global zone, you re-copy the file to the non-global zones.
Loopback mount the configuration files.
From the global zone, halt the non-global zone.
# zoneadm -z non-global-zone halt |
Create a read-only loopback mount for every audit configuration file that you modified in the global zone.
# zonecfg -z non-global-zone add fs set special=/etc/security/audit-file set dir=/etc/security/audit-file set type=lofs add options [ro,nodevices,nosetuid] end exit |
To make the changes effective, boot the non-global zone.
# zoneadm -z non-global-zone boot |
You can also reboot the system.
Later, if you modify an audit configuration file in the global zone, you reboot the system to refresh the loopback-mounted files in the non-global zones.
In this example, the system administrator has modified the audit_class, audit_event, audit_control, audit_user, and audit_warn files.
The audit_warn file is read in the global zone only, so does not have to be loopback mounted into the non-global zones.
On this system, machine1, the administrator has created two non-global zones, machine1–webserver and machine1–appserver. The administrator has finished customizing the audit configuration files. If the administrator later modifies the files, the system will be rebooted to make the changes effective.
# zoneadm -z machine1-webserver halt # zoneadm -z machine1-appserver halt # zonecfg -z machine1-webserver add fs set special=/etc/security/audit_class set dir=/etc/security/audit_class set type=lofs add options [ro,nodevices,nosetuid] end add fs set special=/etc/security/audit_event set dir=/etc/security/audit_event set type=lofs add options [ro,nodevices,nosetuid] end add fs set special=/etc/security/audit_control set dir=/etc/security/audit_control set type=lofs add options [ro,nodevices,nosetuid] end add fs set special=/etc/security/audit_user set dir=/etc/security/audit_user set type=lofs add options [ro,nodevices,nosetuid] end exit # zonecfg -z machine1-appserver add fs set special=/etc/security/audit_class set dir=/etc/security/audit_class set type=lofs add options [ro,nodevices,nosetuid] end ... exit |
When the zones are rebooted, the audit configuration files are read-only in the zones.
This procedure enables separate zone administrators to control the audit service in their zone. For the complete list of policy options, see the auditconfig(1M) man page.
In the global zone, configure auditing, but do not enable the audit service.
Complete the tasks in Configuring Audit Files (Task Map).
Complete the tasks in Configuring and Enabling the Audit Service (Task Map), with the following exceptions.
Add the perzone audit policy. For an example, see Example 30–15.
Do not enable the audit service. You enable the audit service after the non-global zones are configured for auditing.
In each non-global zone, configure the audit files.
If you are planning to disable auditing in the non-global zone, you can skip this step. To disable auditing, see Example 30–22.
Complete the tasks in Configuring Audit Files (Task Map).
Follow the procedures that are described in Configuring and Enabling the Audit Service (Task Map).
Do not configure system-wide audit settings.
Specifically, do not add the perzone or ahlt policy to the non-global zone. And do not run the bsmconv command from the non-global zone.
Enable auditing in your zone.
When the global zone reboots after auditing is configured, auditing is automatically enabled in your zone.
If the global zone administrator activates the perzone audit policy after the system is booted, individual zone administrators must enable auditing. For details, see Example 30–17.
In the global zone, enable the audit service.
For the procedure, see How to Enable the Audit Service.
This example works if the global zone has set the perzone audit policy. The zone administrator of the noaudit zone disables auditing for that zone. Because the administrator planned to disable auditing, she did not edit the audit configuration files.
noauditzone # svcadm disable svc:/system/auditd |
The following task map points to procedures for selecting, analyzing, and managing audit records.
Task |
Description |
For Instructions |
---|---|---|
Display the formats of audit records |
Shows the kind of information that is collected for an audit event, and the order in which the information is presented. | |
Merge audit records |
Combines audit files from several machines into one audit trail. | |
Select records to examine |
Selects particular events for study. | |
Display audit records |
Enables you to view binary audit records. | |
Clean up incorrectly named audit files |
Provides an end timestamp to audit files that were inadvertently left open by the audit service. | |
Prevent audit trail overflow |
Prevents the audit file systems from becoming full. |
By managing the audit trail, you can monitor the actions of users on your network. Auditing can generate large amounts of data. The following tasks show you how to work with all this data.
To write scripts that can find the audit data that you want, you need to know the order of tokens in an audit event. The auditrecord command displays the audit event number, audit class, selection mask, and record format of an audit event.
Put the format of all audit event records in an HTML file.
The -a option lists all audit event record formats. The -h option puts the list in HTML format that can be displayed in a browser.
% auditrecord -a -h > audit.events.html |
When you display the *html file in a browser, use the browser's Find tool to find specific records.
For more information, see the auditrecord(1M) man page.
In this example, the format of all audit records that are generated by the login program are displayed. The login programs include rlogin, telnet, newgrp, role login to the Solaris Management Console, and Solaris Secure Shell.
% auditrecord -p login terminal login program /usr/sbin/login See login(1) /usr/dt/bin/dtlogin See dtlogin event ID 6152 AUE_login class lo (0x00001000) header subject text error message or "successful login" return login: logout program various See login(1) event ID 6153 AUE_logout … newgrp program newgrp See newgrp login event ID 6212 AUE_newgrp_login … rlogin program /usr/sbin/login See login(1) - rlogin event ID 6155 AUE_rlogin … SMC: role login program SMC server See role login event ID 6173 AUE_role_login … /usr/lib/ssh/sshd program /usr/lib/ssh/sshd See login - ssh event ID 6172 AUE_ssh … telnet login program /usr/sbin/login See login(1) - telnet event ID 6154 AUE_telnet … |
In this example, the format of all audit records in the fd class are displayed.
% auditrecord -c fd rmdir system call rmdir See rmdir(2) event ID 48 AUE_RMDIR class fd (0x00000020) header path [attribute] subject [use_of_privilege] return unlink system call unlink See unlink(2) event ID 6 AUE_UNLINK … unlinkat system call unlinkat See openat(2) event ID 286 AUE_UNLINKAT … |
By merging all audit files in all the audit directories, you can analyze the contents of the entire audit trail. The auditreduce command merges all the records from its input files into a single output file. The input files can then be deleted. When the output file is placed in a directory that is named /etc/security/auditserver-name/files, the auditreduce command can find the output file without your specifying the full path.
This procedure applies only to binary audit records.
Assume a role that includes the Audit Review profile, or become superuser.
The System Administrator role includes the Audit Review profile. You can also create a separate role that includes the Audit Review profile. To create a role and assign the role to a user, see Configuring RBAC (Task Map).
Create a directory for storing merged audit files.
# mkdir audit-trail-directory |
Limit access to the directory.
# chmod 700 audit-trail-directory # ls -la audit-trail-directory drwx------ 3 root sys 512 May 12 11:47 . drwxr-xr-x 4 root sys 1024 May 12 12:47 .. |
Merge the audit records in the audit trail.
Change directories to the audit-trail-directory and merge the audit records into a file with a named suffix. All directories that are listed in the dir lines of the audit_control file on the local system are merged.
# cd audit-trail-directory # auditreduce -Uppercase-option -O suffix |
The uppercase options to the auditreduce command manipulate files in the audit trail. The uppercase options include the following:
Selects all of the files in the audit trail.
Selects complete files only. This option ignores files with the suffix not_terminated.
Selects files with a particular suffix. The suffix can be a machine name, or it can be a suffix that you have specified for a summary file.
Creates an audit file with 14-character timestamps for both the start time and the end time, with the suffix suffix in the current directory.
In the following example, the System Administrator role, sysadmin, copies all files from the audit trail into a merged file.
$ whoami sysadmin $ mkdir /var/audit/audit_summary.dir $ chmod 700 /var/audit/audit_summary.dir $ cd /var/audit/audit_summary.dir $ auditreduce -A -O All $ ls *All 20030827183214.20030827215318.All |
In the following example, only complete files are copied from the audit trail into a merged file.
$ cd /var/audit/audit_summary.dir $ auditreduce -C -O Complete $ ls *Complete 20030827183214.20030827214217.Complete |
In the following example, only complete files are copied from the example1 machine into a merged file.
$ cd /var/audit/audit_summary.dir $ auditreduce -M example1 -O example1summ $ ls *summ 20030827183214.20030827214217.example1summ |
The -D option to the auditreduce command deletes an audit file when you copy it to another location. In the following example, the complete audit files from one system are copied to the summary directory for later examination.
$ cd /var/audit/audit_summary.dir $ auditreduce -C -O daily_example1 -D example1 $ ls *example1 20030827183214.20030827214217.daily_example1 |
The audit files from the example1 system that were the input to the *daily_example1 file are removed when this command successfully completes.
You can filter audit records for examination. For the complete list of filtering options, see the auditreduce(1M) man page.
Assume a role that includes the Audit Review profile, or become superuser.
The System Administrator role includes the Audit Review profile. You can also create a separate role that includes the Audit Review profile. To create a role and assign the role to a user, see Configuring RBAC (Task Map).
Select the kinds of records that you want from the audit trail, or from a specified audit file.
auditreduce -lowercase-option argument [optional-file] |
Specific argument that a lowercase option requires. For example, the -c option requires an argument of an audit class, such as ua.
Selects all of the events on a particular date. The date format for argument is yyymmdd. Other date options, -b and -a, select events before and after a particular date.
Selects all of the events attributable to a particular user. The argument is a user name. Another user option, -e, selects all of the events attributable to an effective user ID.
Selects all of the events in a preselected audit class. The argument is an audit class name.
Selects all of the instances of a particular audit event. The argument is an audit event.
Is the name of an audit file.
The auditreduce command can eliminate the less interesting records as it combines the input files. For example, you might use the auditreduce command to retain only the login and logout records in audit files that are over a month old. If you need to retrieve the complete audit trail, you could recover the trail from backup media.
# cd /var/audit/audit_summary.dir # auditreduce -O lo.summary -b 20030827 -c lo; compress *lo.summary |
In this example, all the records of nonattributable audit events in the audit trail are collected into one file.
$ whoami sysadmin $ cd /var/audit/audit_summary.dir $ auditreduce -c na -O nasumm $ ls *nasumm 20030827183214.20030827215318.nasumm |
The merged nasumm audit file is time stamped with the beginning and ending date of the na records.
You can select audit files manually to search just the named set of files. For example, you can further process the *nasumm file in the previous example to find system boot events. To do so, you would specify the file name as the final argument to the auditreduce command.
$ auditreduce -m 113 -O systemboot 20030827183214.20030827215318.nasumm 20030827183214.20030827183214.systemboot |
The 20030827183214.20030827183214.systemboot file contains only system boot audit events.
In this example, the records in the audit trail that contain the name of a particular user are merged. The -e option finds the effective user. The -u option finds the audit user.
$ cd /var/audit/audit_summary.dir $ auditreduce -e tamiko -O tamiko |
You can look for specific events in this file. In the following example, what time the user logged in and out on Sept 7, 2003, your time, is checked. Only those files with the user's name as the file suffix are checked. The short form of the date is yyyymmdd.
# auditreduce -M tamiko -O tamikolo -d 20030907 -u tamiko -c lo |
In this example, login and logout messages for a particular day are selected from the audit trail. The messages are merged into a target file. The target file is written in a directory other than the normal audit root directory.
# auditreduce -c lo -d 20030827 -O /var/audit/audit_summary.dir/logins # ls /var/audit/audit_summary.dir/*logins /var/audit/audit_summary.dir/20030827183936.20030827232326.logins |
The praudit command enables you to view the contents of binary audit files. You can pipe the output from the auditreduce command, or you can read a particular audit file. The -x option is useful for further processing.
Assume a role that includes the Audit Review profile, or become superuser.
The System Administrator role includes the Audit Review profile. You can also create a separate role that includes the Audit Review profile. To create a role and assign the role to a user, see Configuring RBAC (Task Map).
Use one of the following praudit commands to produce the output that is best for your purposes.
The following examples show praudit output from the same audit event. Audit policy has been set to include the sequence and trailer tokens.
The praudit -s command displays audit records in a short format, one token per line. Use the -l option to place each record on one line.
$ auditreduce -c lo | praudit -s header,101,2,AUE_rlogin,,example1,2003-10-13 11:23:31.050 -07:00 subject,jdoe,jdoe,staff,jdoe,staff,749,749,195 1234 server1 text,successful login return,success,0 sequence,1298 |
The praudit -r command displays audit records in their raw format, one token per line. Use the -l option to place each record on one line.
$ auditreduce -c lo | praudit -r 21,101,2,6155,0x0000,192.168.60.83,1062021202,64408258 36,2026700,2026700,10,2026700,10,749,749,195 1234 192.168.60.17 40,successful login 39,0,0 47,1298 |
The praudit -x command displays audit records in XML format, one token per line. Use the -l option to place the XML output for one record on one line.
$ auditreduce -c lo | praudit -x <record version="2" event="login - rlogin" host="example1" time="Wed Aug 27 14:53:22 PDT 2003" msec="64"> <subject audit-uid="jdoe" uid="jdoe" gid="staff" ruid="jdoe" rgid="staff" pid="749" sid="749" tid="195 1234 server1"/> <text>successful login</text> <return errval="success" retval="0"/> <sequence seq-num="1298"/> </record> |
With a pipe to the lp command, the output for the entire audit trail goes to the printer. The printer should have limited access.
# auditreduce | praudit | lp -d example.protected.printer |
In this example, a summary login file is examined in a terminal window.
# cd /var/audit/audit_summary.dir/logins # praudit 20030827183936.20030827232326.logins | more |
In this example, the audit records are converted to XML format.
# praudit -x 20030827183214.20030827215318.logins > 20030827.logins.xml |
The *xml file can be displayed in a browser. The contents of the file can be operated on by a script to extract the relevant information.
A message similar to the following indicates that you do not have enough privilege to use the praudit command:
praudit: Can't assign 20090408164827.20090408171614.example1 to stdin.
Occasionally, an audit daemon exits while its audit file is still open. Or, a server becomes inaccessible and forces the machine to switch to a new server. In such instances, an audit file remains with the string not_terminated as the end timestamp, even though the file is no longer used for audit records. Use the auditreduce -O command to give the file the correct timestamp.
List the files with the not_terminated string on your audit file system in order of creation.
# ls -R1t audit-directory*/files/* | grep not_terminated |
Lists files in subdirectories.
Lists files from most recent to oldest.
Lists the files in one column.
Clean up the old not_terminated file.
Specify the name of the old file to the auditreduce -O command.
# auditreduce -O system-name old-not-terminated-file |
Remove the old not_terminated file.
# rm system-name old-not-terminated-file |
In the following example, not_terminated files are found, renamed, then the originals are removed.
ls -R1t */files/* | grep not_terminated …/egret.1/20030908162220.not_terminated.egret …/egret.1/20030827215359.not_terminated.egret # cd */files/egret.1 # auditreduce -O egret 20030908162220.not_terminated.egret # ls -1t 20030908162220.not_terminated.egret Current audit file 20030827230920.20030830000909.egret Input (old) audit file 20030827215359.not_terminated.egret # rm 20030827215359.not_terminated.egret # ls -1t 20030908162220.not_terminated.egret Current audit file 20030827230920.20030830000909.egret Cleaned up audit file |
The start timestamp on the new file reflects the time of the first audit event in the not_terminated file. The end timestamp reflects the time of the last audit event in the file.
If your security policy requires that all audit data be saved, do the following:
Set up a schedule to regularly archive audit files.
Archive audit files by backing up the files to offline media. You can also move the files to an archive file system.
If you are collecting text audit logs with the syslog utility, archive the text logs. For more information, see the logadm(1M) man page.
Set up a schedule to delete the archived audit files from the audit file system.
Save and store auxiliary information.
Archive information that is necessary to interpret audit records along with the audit trail.
Keep records of which audit files have been archived.
Store the archived media appropriately.
Reduce the volume of audit data that you store by creating summary files.
You can extract summary files from the audit trail by using options to the auditreduce command. The summary files contain only records for specified types of audit events. To extract summary files, see Example 30–27 and Example 30–31.
This section covers various Solaris auditing error messages, preferences, and the auditing that is provided by other tools. These procedures can help you record the audit events that you require at your site.
The following task map points to procedures for troubleshooting Solaris auditing.
Problem |
Solution |
For Instructions |
---|---|---|
Why are audit files not being created when I have configured auditing? |
Troubleshoot the audit daemon and audit configuration files. | |
How can I reduce the amount of audit information that is being collected? |
Audit just the events that you want to audit. | |
How can I audit everything that a user does on the system? |
Audit one or more users for every command. | |
How can I change the audit events that are being recorded and have the change affect existing sessions? |
Update a user's preselection mask | |
How can I locate modifications to particular files? |
Audit file modifications, then use the auditreduce command to find particular files. | |
How can I reduce the size of my audit files? |
Limit the size of the binary audit file. | |
How can I remove audit events from the audit_event file? |
Update the audit_event file. | |
How can I audit all logins to a Solaris system? |
Audit logins from any system. | |
Why are auditing records not being kept for my FTP transfers? |
Use the appropriate auditing tool for utilities that generate their own logs. |
If you believe that auditing has been activated, but no audit records are in your primary audit directory, try the following.
Determine that auditing is running.
Verify that the c2audit kernel module is loaded.
# modinfo | grep c2audit |
No listing indicates that auditing is not running. The following listing indicates that auditing is running:
40 132ce90 14230 186 1 c2audit (C2 system call) |
Verify that the audit daemon is running.
Verify the status of the auditd service. The following listing indicates that auditing is not running:
# svcs -x auditd svc:/system/auditd:default (Solaris audit daemon) State: disabled since Fri Aug 14 19:02:35 2009 Reason: Disabled by an administrator. See: http://sun.com/msg/SMF-8000-05 See: auditd(1M) See: audit(1M) Impact: This service is not running. |
The following listing indicates that the audit service is running:
# svcs auditd STATE STIME FMRI online 10:10:10 svc:/system/auditd:default |
Verify the current audit condition.
The following listing indicates that auditing is not running:
# auditconfig -getcond auditconfig: auditon(2) failed. auditconfig: error = Operation not supported(48) |
The following listing indicates that auditing is running:
# auditconfig -getcond audit condition = auditing |
If the audit service is not running, enable it. For the procedure, see How to Enable the Audit Service.
Verify the syntax of the audit_control file.
# audit -v /etc/security/audit_control audit: audit_control must have either a valid "dir:" entry or a valid "plugin:" entry with "p_dir:" specified. |
Correct the errors. The message syntax ok indicates that the file is syntactically correct.
Verify that the audit_control file has valid values for the flags and naflags keywords.
# grep flags /etc/security/audit_control flags:lo naflags:na,lp |
Supply valid values if the audit_control file has invalid values. In the preceding example, lp is an invalid class.
Verify that the audit_user file has valid values for every user.
# tail audit_user ... # User Level Audit User File # # File Format # # username:always:never # root:lo:no admin:lp:no |
Supply valid values if the audit_user file contains invalid values. In the preceding example, lp is an invalid class.
If you created a customized audit class, verify that you assigned events to the class.
For example, the following audit_control file contains a class that Sun did not deliver:
# grep flags /etc/security/audit_control flags:lo,pf naflags:na,lo |
For a description of creating the pf class, see How to Add an Audit Class.
Verify that the class is defined in the audit_class file.
The audit class mask must be unique.
# grep pf /etc/security/audit_class 0x10000000:pf:profile command |
If the class is not defined, define it. Otherwise, remove the class from the audit_control and audit_user files.
Verify that events have been assigned to the class.
# grep pf /etc/security/audit_event 6180:AUE_prof_cmd:profile command:ua,as,pf |
If events are not assigned to the class, assign the appropriate events to this class.
If the previous steps did not indicate a problem, review the system log files, /var/adm/messages and /var/log/syslog.
Locate and fix the problems.
Then, if the audit service is running, restart it.
# audit -s |
If the audit service is not running, enable it.
For the procedure, see How to Enable the Audit Service.
After you have determined which events must be audited at your site, use the following suggestions to create manageable audit files.
Use the default audit policy.
Specifically, avoid adding events and audit tokens to the audit trail. The following policies affect the size of the audit trail.
arge policy – Adds environment variables to exec audit events.
argv policy – Adds command parameters to exec audit events.
public policy – If file events are being audited, adds an event to the audit trail every time an auditable event happens to a public file. File classes include fa, fc, fd, fm, fr, fw, and cl. For the definition of a public file, see Audit Terminology and Concepts.
path policy – Adds a path token to audit events that include an optional path token.
group policy – Adds a group token to audit events that include an optional newgroups token.
seq policy – Adds a sequence token to every audit event.
trail policy – Adds a trailer token to every audit event.
windata_down policy – On a system that is configured with Trusted Extensions, adds events when information in a labeled window is downgraded.
windata_up policy – On a system that is configured with Trusted Extensions, adds events when information in a labeled window is upgraded.
zonename policy – Adds the zone name to every audit event. If the global zone is the only configured zone, adds zone, global to every audit event.
The following audit record shows the use of the ls command. The ex class is being audited and the default policy is in use:
header,375,2,execve(2),,mach1,2009-08-06 11:19:57.388 -07:00 path,/usr/bin/ls subject,jdoe,root,root,root,root,1401,737,0 0 mach1 return,success,0 |
The following is the same record when all policies are turned on:
header,375,2,execve(2),,mach1,2009-08-06 11:19:57.388 -07:00 path,/usr/bin/ls attribute,100555,root,bin,136,432,0 exec_args,1,ls exec_env,9,HOME=/,HZ=,LANG=C,LOGNAME=root,MAIL=/var/mail/root,PATH=/u sr/sbin:/usr/bin,SHELL=/sbin/sh,TERM=xterm,TZ=US/Pacific path,/lib/ld.so.1 attribute,100755,root,bin,136,4289,0 subject,jdoe,root,root,root,root,1401,737,0 0 mach1 group,root,other,bin,sys,adm,uucp,mail,tty,lp,nuucp,daemon return,success,0 zone,global sequence,313540 trailer,375 |
Use the audit_syslog.so plugin to send some audit events to syslog.
This strategy works only if you are not required to keep binary records of the audit events that you send to the syslog logs. By using the auditreduce command, you can then strip the binary files of these records, thus reducing the size of the binary files.
Use the audit_user file to audit events for specific users and roles.
Reduce the amount of auditing for all users by reducing the number of audit classes in the audit_control file. In the audit_user file, add audit classes for specific users and roles.
Create your own customized audit class.
You can create audit classes at your site. Into these classes, put all the audit events that you need to monitor. For the procedure, see How to Add an Audit Class.
If you modify existing audit class assignments, your modifications might be lost when you upgrade to a newer version of the Solaris OS. Carefully review the install logs.
As part of site security policy, some sites require audit records of all commands that are run by the root user or by administrative roles. Some sites also require audit records of all commands that are run by users.
Audit the lo and ex classes.
The ex class audits all calls to the exec() and execve() functions. The lo class audits logins, logouts, and screen locks. The following ouput lists all the events in the ex and lo classes.
7:AUE_EXEC:exec(2):ps,ex 23:AUE_EXECVE:execve(2):ps,ex ... 6152:AUE_login:login - local:lo 6153:AUE_logout:logout:lo 6154:AUE_telnet:login - telnet:lo 6155:AUE_rlogin:login - rlogin:lo 6158:AUE_rshd:rsh access:lo 6159:AUE_su:su:lo 6162:AUE_rexecd:rexecd:lo 6163:AUE_passwd:passwd:lo 6164:AUE_rexd:rexd:lo 6165:AUE_ftpd:ftp access:lo 6171:AUE_ftpd_logout:ftp logout:lo 6172:AUE_ssh:login - ssh:lo 6173:AUE_role_login:role login:lo 6212:AUE_newgrp_login:newgrp login:lo 6213:AUE_admin_authenticate:admin login:lo 6221:AUE_screenlock:screenlock - lock:lo 6222:AUE_screenunlock:screenlock - unlock:lo 6227:AUE_zlogin:login - zlogin:lo |
To audit these classes for administrators, modify the audit_user file.
In the following example, the site has created three roles, sysadm, auditadm, and netadm. These roles and the root account are audited for the exec and lo classes:
## audit_user file root:lo,ex:no sysadm:lo,ex:no auditadm:lo,ex:no netadm:lo,ex:no |
To audit the lo class for non-attributable events, modify the audit_control file.
## audit_control file ... naflags:lo ... |
To audit these classes for all users, modify the audit_control file.
## audit_control file flags:lo,ex naflags:lo ... |
The output appears similar to the following:
header,375,2,execve(2),,mach1,2009-08-06 11:19:57.388 -07:00 path,/usr/bin/ls subject,jdoe,root,root,root,root,1401,737,0 0 mach1 return,success,0 |
To record the arguments to commands, set the argv policy.
# auditconfig -setpolicy +argv |
The exec_args token records the command arguments:
header,375,2,execve(2),,mach1,2009-08-06 11:19:57.388 -07:00 path,/usr/bin/ls exec_args,1,ls subject,jdoe,root,root,root,root,1401,737,0 0 mach1 return,success,0 |
To record the environment in which the command is run, set the arge policy.
# auditconfig -setpolicy +arge |
The exec_env token records the command environment:
header,375,2,execve(2),,mach1,2009-08-06 11:19:57.388 -07:00 path,/usr/bin/ls exec_env,9,HOME=/,HZ=,LANG=C,LOGNAME=root,MAIL=/var/mail/root, PATH=/usr/sbin:/usr/bin,SHELL=/sbin/sh,TERM=xterm,TZ=US/Pacific subject,jdoe,root,root,root,root,1401,737,0 0 mach1 return,success,0 |
To record the arguments and the command environment, set both policies.
# auditconfig -setpolicy +argv |
The output appears similar to the following:
header,375,2,execve(2),,mach1,2009-08-06 11:19:57.388 -07:00 path,/usr/bin/ls exec_args,1,ls exec_env,9,HOME=/,HZ=,LANG=C,LOGNAME=root,MAIL=/var/mail/root, PATH=/usr/sbin:/usr/bin,SHELL=/sbin/sh,TERM=xterm,TZ=US/Pacific subject,jdoe,root,root,root,root,1401,737,0 0 mach1 return,success,0 |
If your goal is to log file writes against a limited number of files, such as /etc/passwd and the files in the /etc/default directory, you use the auditreduce command to locate the files.
Audit the fw class.
Adding the class to the audit_user file generates fewer records than adding the class to the audit_control file.
To find the audit records for specific files, use the auditreduce command.
# /usr/sbin/auditreduce -o file=/etc/passwd,/etc/default -O filechg |
The auditreduce command searches the audit trail for all instances of the file argument. The command creates a binary file with the suffix filechg which contains all records that include the pathnames of the files of interest. See the auditreduce(1M) man page for the syntax of the -o file=pathname option.
To read the filechg file, use the praudit command.
# /usr/sbin/praudit *filechg |
If you modify the audit_control or audit_user file, the preselection mask of users who are already logged in does not change. You must force the preselection mask to change.
You enabled auditing, users logged in, and then you changed the value of flags or naflags in the audit_control file. You want the users who are already logged in to be audited for these newly selected audit classes.
Update the preselection mask of users who are already logged in.
You have two options. You can terminate the existing sessions or use the auditconfig command to update the users' preselection masks.
Terminate the users' existing sessions.
Users can log out and log back in, or the administrator can manually terminate (kill) active sessions. The new sessions will inherit the new preselection mask. However, terminating users could be impractical.
Dynamically change each user's preselection mask.
Assume that the flags attribute in the audit_control file was changed from lo to lo,ex.
Determine the user's audit ID and audit session ID.
First, find all regular users. In the following example, the administrator finds all processes that are not owned by root, daemon, or lp:
# /usr/bin/pgrep -v -u root,daemon,lp | more .. 3941 3948 3949 10640 ... |
Then, use one of the user's processes to find the user's audit ID:
# auditconfig -getpinfo 3941 audit id = jdoe(1002) process preselection mask = lo(0x1000,0x1000) terminal id (maj,min,host) = 9426,65559,mach1(192.168.123.234) audit session id = 713 |
Note that the user's preselection mask includes the lo class and does not include the newly added ex class.
The user's audit ID is 1002. The user's audit session ID is 713.
Change the user's preselection mask
Use one of the following two methods:
Verify that the preselection mask has changed.
# auditconfig -getpinfo 3941 audit id = jdoe(1002) process preselection mask = ex,lo(0x40001000,0x40001000) terminal id (maj,min,host) = 9426,65559,mach1(192.168.123.234) audit session id = 713 |
For maintenance purposes, sometimes a site wants to prevent audit events from being audited.
Change the class of the event to the no class.
For example, events 26 and 27 belong to the pm class.
## audit_event file ... 25:AUE_VFORK:vfork(2):ps 26:AUE_SETGROUPS:setgroups(2):pm 27:AUE_SETPGRP:setpgrp(2):pm 28:AUE_SWAPON:swapon(2):no ... |
Change these events to the no class.
## audit_event file ... 25:AUE_VFORK:vfork(2):ps 26:AUE_SETGROUPS:setgroups(2):no 27:AUE_SETPGRP:setpgrp(2):no 28:AUE_SWAPON:swapon(2):no ... |
If the pm class is currently being audited, existing sessions will still audit events 26 and 27. To stop these events from being audited, you must update the users' preselection masks.
Never comment out events in the audit_event file. This file is used by the praudit command to read binary audit files. Archived audit files might contain events that are listed in the file.
To update the preselection masks of users, follow the instructions in How to Modify a User's Preselection Mask.
Binary audit files grow without limit. For ease of archiving and searching, you might want to limit the size. You can also create smaller binary files from the original file.
Use the p_fsize attribute to limit the size of individual binary audit files.
The p_fsize attribute to the audit_binfile.so plugin enables you to limit the size of an audit file. The default value is zero (0), which allows the file to grow without limit. The value is specified in bytes, from 512,000 to 2,147,483,647. When the specified size is reached, the current audit file is closed and a new file is opened.
In the following example, you limit the size of and audit file to 1Mbyte:
plugin:name=audit_binfile.so; p_dir:/var/audit; p_fsize=1024000 |
Use the auditreduce command to select records and write those records to a file for further analysis.
The auditreduce -lowercase options find specific records.
The auditreduce -Uppercase options write your selections to a file. For more information, see the auditreduce(1M) man page.
The Solaris OS can audit all logins, independent of source.
Audit the lo class for attributable and for non-attributable events.
This class audits logins, logouts, and screen locks.
## audit_control file flags:lo naflags:lo ... |
To audit ssh logins, your Solaris system must be running the Solaris ssh daemon. This daemon is modified for Solaris auditing. For more information, see Solaris Secure Shell and the OpenSSH Project.
The FTP service creates logs of its file transfers. The SFTP service, which runs under the SSH protocol, can be audited by Solaris auditing. Logins to both services can be audited by Solaris auditing.
To log commands and file transfers of the FTP service, see the ftpaccess(4) man page.
For the available logging options, read the “Logging Capabilities” section. In particular, the log commands and log transfers options might provide useful logs.
To log sftp file transfers, perform one or both of the following:
Audit file-reads.
File transfers over an SSH connection use the sftp command. These transfers can be recorded by using the +fr audit flag. To audit failed sftp file transfers, audit the -fr audit flag.
The following output is from a successful sftp session:
header,138,2,open(2) - read,,ma2,2009-08-25 14:48:58.770 -07:00 path,/home/jdoe/vpn_connect attribute,100644,jdoe,staff,391,437,0 subject,jdoe,jdoe,staff,jdoe,staff,4444,120289379,8457 65558 ma1 return,success,6 |
Use the verbose option to the sftp command.
The -v option can be repeated up to three times.
# sftp -vvv [ other options ] hostname |
To record access to the FTP and SFTP services, audit the lo class.
As the following output indicates, logging in to and out of the ftpd daemon generates audit records.
% bsmrecord -c lo | more ... in.ftpd program /usr/sbin/in.ftpd See ftp access event ID 6165 AUE_ftpd class lo (0x00001000) header subject [text] error message return in.ftpd program /usr/sbin/in.ftpd See ftp logout event ID 6171 AUE_ftpd_logout class lo (0x00001000) header subject return ... |
The SSH login records all accesses to the sftp command.
... /usr/lib/ssh/sshd program /usr/lib/ssh/sshd See login - ssh event ID 6172 AUE_ssh class lo (0x00001000) header subject [text] error message return |