You can instruct the audit service to copy some or all of the collected audit records in the audit queue to syslog. In the following procedure, you save binary audit data and text audit data. The collected text audit data is a subset of the binary data.
You must preselect audit classes. Preselected audit classes are specified in the flags line and the naflags line of the audit_control file. You can also preselect classes for individual users in the audit_user file and dynamically add audit classes with the auditconfig command.
Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
(Optional) Save a backup copy of the audit_control file.
# cp /etc/security/audit_control /etc/security/audit_control.save |
Add an audit_syslog.so plugin entry.
## audit_control file flags:lo,ss naflags:lo,na plugin:name=audit_binfile.so;p_dir=/var/audit; p_minfree=20; plugin:name=audit_syslog.so;p_flags=+lo,-ss |
A plugin entry has the following format:
plugin:name=name; qsize=max-queued-records;p_*=value |
name=name – Lists the name of the plugin. The valid values are audit_binfile.so and audit_syslog.so.
qsize=max-queued-records – Specifies the maximum number of records to queue for audit data that is being sent to the plugin. This attribute is optional.
p_*=value – Specifies plugin-specific attributes. The audit_syslog.so plugin accepts p_flags. The audit_binfile.so plugin accepts p_dir, p_minfree and p_fsize.
The audit_remote.so plugin accepts p_hosts, p_retries and p_timeout
For more information about the plugin-specific attributes, see the OBJECT ATTRIBUTES section of the audit_binfile(5) and audit_syslog(5) man pages. For the audit_remote.so plugin, see the audit_remote(5) man page.
Add an audit.notice entry to the syslog.conf file.
The entry includes the location of the log file.
# cat /etc/syslog.conf … audit.notice /var/adm/auditlog |
Do not store text logs where the binary audit files are stored. The auditreduce command, which reads binary audit files, assumes that all files in an audit partition are binary audit files.
Create the log file.
# touch /var/adm/auditlog |
Refresh the configuration information for the syslog service.
# svcadm refresh system/system-log |
Regularly archive the syslog log files.
The audit service can generate extensive output. To manage the logs, see the logadm(1M) man page.
In the following example, the syslog utility collects a subset of the preselected audit classes.
## audit_user file jdoe:pf |
## audit_control file flags:lo,ss naflags:lo,na plugin:name=audit_binfile.so; p_dir=/var/audit/host.1/files, /var/audit/host.2/files,/var/audit/localhost/files; p_minfree=10 plugin:name=audit_syslog.so; p_flags=-lo,-na,-ss,+pf |
The flags and naflags entries instruct the system to collect all login/logout, nonattributable, and change of system state audit records in binary format. The audit_syslog.so plugin entry instructs the syslog utility to collect only failed logins, failed nonattributable events, and failed changes of system state. For the jdoe user, the binary audit record includes all uses of a profile-aware shell. The syslog utility collects successful profile-aware commands. The pf class is created in Example 30–10.
You can change the audit.notice entry in the syslog.conf file to point to a remote system. In this example, the name of the local system is example1. The remote system is remote1.
example1 # cat /etc/syslog.conf … audit.notice @remote1 |
The audit.notice entry in the syslog.conf file on the remote1 system points to the log file.
remote1 # cat /etc/syslog.conf … audit.notice /var/adm/auditlog |
The preferred method for specifying non-flags information in the audit_control file is to use the plugin entry. In this example, the audit flags are selected, then the plugin information is listed.
## audit_control file flags:lo,ss naflags:lo,na plugin:name=audit_binfile.so;p_minfree=10; p_dir=/var/audit plugin:name=audit_syslog.so; p_flags=+lo |