test

Trusted Solaris Audit Administration

Rolling Out Auditing at Your Site

To roll out auditing, the system administrator sets up the audit administration server, the audit file servers, the local audit partitions, and what usernames are warned of audit trouble. The security administrator edits the audit_control(4) file on the NIS+ root master, and edits other audit configuration files before copying them to a central directory for distribution by tape or floppy. The audit configuration files are copied from the tape to each workstation as it is configured by the install team. The security administrator edits the dir: lines in the audit_control file on each workstation before the system is rebooted.

Note -

Administrators should understand that Trusted Solaris only records the security-relevant events that it is configured to record (that is, by preselection). Therefore any subsequent audit can only consider the events recorded. If auditing is not configured to record the security-relevant events for the particular system environment in which it operates, it will not be possible to audit. This may mean that attempts to breach the security of the system go undetected, or that the administrator is unable to detect the user responsible for an attempted breach of security. Administrators should regularly analyze audit trails to check for breaches of security.

System Administrator's Audit Setup Tasks

Table 2-1 Basic Auditing Setup by the System Administrator

Task 

For the procedure, see... 

Create audit partitions 

"To Create Dedicated Audit Partitions"

Create audit administration server 

Trusted Solaris Installation and Configuration or Trusted Solaris Administrator's Procedures

Install audit file servers  

Plan to install them before audit clients 

Create files directory 

"To Create an Audit Directory"

Export audit partitions (networks only) 

"To Share an Audit File System"

Edit Aliases database 

"To Warn of Audit Trouble"

Mount audit partitions (networks only) 

"To Mount an Audit File System"

Security Administrator's Audit Setup Tasks - Basic

Table 2-2 Basic Auditing Setup by the Security Administrator

Task 

For the procedure, see...  

On first workstation 

 

Edit audit_control file 

"To Set Audit Flags"

 

 

 

"To Reserve Free Space on an Audit File System"

"To Specify the Audit File Storage Locations"

Set Solaris security attributes 

"To Protect an Audit File System"

Edit audit_user file  

"To Set User Exceptions to the Audit Flags"

Edit audit_startup file 

"To Set Audit Policy Permanently"

Copy for distribution 

(networks only) 

"To Distribute Audit Configuration Files to a Network of Workstations"

Set security attributes 

"To Protect an Audit File System"

Security Administrator's Audit Setup Tasks - Advanced

Table 2-3 Advanced Auditing Setup by the Security Administrator

Task 

For the procedure, see...  

On first workstation 

 

Edit audit_event file  

 

"To Add Audit Events"

"To Change Event-Class Mappings"

Edit audit_class file  

"To Add Audit Classes"

Copy for distribution (networks only) 

"To Distribute Audit Configuration Files to a Network of Workstations"