Audit Logs
Audit records are collected in audit logs. Solaris auditing provides two output modes for audit logs. Logs that are called audit files store audit records in binary format. The set of audit files from a system or site provide a complete audit record. The complete audit record is called the audit trail.
The syslog utility collects and stores text version summaries of the audit record. A syslog record is not complete. The following example shows a syslog entry for a login audit record:
Oct 13 11:24:11 example_system auditd: [ID 6472 audit.notice] \
login - login ok session 378 by root as root:other
|
A site can store audit records in both formats. You can configure the systems at your site to use binary mode, to use syslog mode, or to use both modes. The following table compares binary audit records with syslog audit records.
Table 28–2 Comparison of Binary Audit Records With syslog Audit Records|
Feature |
Binary Records |
syslog Records |
|---|---|---|
|
Protocol |
Writes to the file system |
Uses UDP for remote logging |
|
Data type |
Binary |
Text |
|
Record length |
No limit |
Up to 1024 characters per audit record |
|
Location |
Stored on local disk, and in directories that are mounted by using NFS |
Stored in a location that is specified in the syslog.conf file |
|
How to configure |
Edit audit_control file, and protect and NFS-mount audit directories |
Edit audit_control file, and edit syslog.conf file |
|
How to read |
Typically, in batch mode Browser output in XML |
In real time, or searched by scripts that you have created for syslog Plain text output |
|
Completeness |
Guaranteed to be complete, and to appear in the correct order |
Are not guaranteed to be complete |
|
Timestamp |
Greenwich Mean Time (GMT) |
Time on the system that is being audited |
Binary records provide the greatest security and coverage. Binary output meets the requirements of security certifications, such as the Common Criteria Controlled Access Protection Profile (CAPP). The records are written to a file system that you protect from snooping. On a single system, all binary records are collected and are displayed in order. The GMT timestamp on binary logs enables accurate comparison when systems on one audit trail are distributed across time zones. The praudit -x command enables you to view the records in a browser in XML. You can also use scripts to parse the XML output.
In contrast, the syslog records provide greater convenience and flexibility. For example, you can collect the syslog data from a variety of sources. Also, when you monitor audit.notice events in the syslog.conf file, the syslog utility logs an audit record summary with the current timestamp. You can use the same management and analysis tools that you have developed for syslog messages from a variety of sources, including workstations, servers, firewalls, and routers. The records can be viewed in real time, and can be stored on a remote system.
By using syslog.conf to store audit records remotely, you protect log data from alteration or deletion by an attacker. On the other hand, when audit records are stored remotely, the records are susceptible to network attacks such as denial of service and spoofed source addresses. Also, UDP can drop packets or can deliver packets out of order. The limit on syslog entries is 1024 characters, so some audit records could be truncated in the log. On a single system, not all audit records are collected. The records might not display in order. Because each audit record is stamped with the local system's date and time, you can not rely on the timestamp to construct an audit trail for several systems.
For more information on audit logs, refer to the following:
-
audit_syslog(5) man page
-
audit.log(4) man page
- © 2010, Oracle Corporation and/or its affiliates