test

Trusted Solaris Audit Administration

Audit Shutdown and Startup Procedures

The following procedures describe how to enable and disable auditing for one or more workstations. The commands should be run only on a diskfull workstation, and never on a diskless client.

Auditing tasks require commands and actions that are limited to particular roles and particular labels. Read each task for the administrative role that can perform it, and the label required. See "To Execute Commands that Require Privilege" for how to assume a role and open a privileged shell.

To Disable Auditing

  1. As role secadmin, at label admin_low, open the script /etc/init.d/audit using the Admin Editor.

    Note -

    This should be done only if auditing is not a site security requirement, or in cases of audit file overflow. The security administrator is responsible.

  2. Comment out the start script:

    ...
	# Start the audit daemon	
#	if [ -f /etc/security/audit_startup ] ; then
#			echo "starting audit daemon"
#			/etc/security/audit_startup
#			/usr/sbin/auditd &
#	fi
...

  3. Write and quit the file.

  4. Open the script /etc/init.d/drvconfig using the Admin Editor.

  5. Add the following lines to the end of the file:

    # Disable auditing

#

/usr/bin/adb -wk /dev/ksyms /dev/mem > /dev/null <<end
audit_active/W 0
end

  6. Prevent spurious messages about the audit daemon at shutdown by commenting out the stop script in /etc/init.d/audit: 

    ...
	# Stop the audit daemon	

#       if [ -f /etc/security/audit_startup ] ; then
#               /usr/sbin/audit -t
#       fi

  7. Write and quit the file.

  8. For the changes to take effect, reboot.

    Note -

    A user or role requires authorization to reboot the workstation.

    1. Choose Shut Down from the TP (Trusted Path) menu.

    2. Confirm the shutdown.

    3. Enter boot at the ok prompt or b at the > prompt: 


      Type help for more information
<#2> ok boot
Type b (boot), c (continue), or n (new command mode)
> b

To Enable Auditing

By default, auditing is enabled. If you have disabled auditing, enable it by reversing the above procedure.

  1. As role secadmin, at label admin_low, open the script /etc/init.d/audit using the Admin Editor.

  2. Remove the comments from the audit start script:

    ...
	# Start the audit daemon	
	if [ -f /etc/security/audit_startup ] ; then
			echo "starting audit daemon"
			/etc/security/audit_startup
			/usr/sbin/auditd &
	fi
...

  3. Write and quit the file.

  4. Enable the audit daemon to exit gracefully at shutdown by removing the comments in the stop script in /etc/init.d/audit: 

    ...

	# Stop the audit daemon	
		if [ -f /etc/security/audit_startup ] ; then
		/usr/sbin/audit -t
		fi

  5. Write and quit the file.

  6. Open the script /etc/init.d/drvconfig using the Admin Editor.

  7. Comment out the Disable auditing lines:

    # Disable auditing

#
# /usr/bin/adb -wk /dev/ksyms /dev/mem > /dev/null <<end
# audit_active/W 0
# end

  8. Write and quit the file.

  9. For the changes to take effect, reboot using the Shut Down menu item from the TP (Trusted Path) menu.