The following procedures describe how to set up auditing for one or more workstations.
During installation, the install team creates dedicated audit partition(s) when formatting the disks.
Use the naming convention /etc/security/audit/workstation_name(.n)
A diskfull workstation should have at least one local audit directory, which it can use as a directory of last resort, if unable to communicate with the audit server.
See "Audit Storage" for an explanation of the naming convention.
On an audit file server, most partitions hold audit files, as is shown in the following example of the egret audit file server:
Disk |
Slice |
Mount point |
Size |
---|---|---|---|
c0t2d0 |
s0 |
/etc/security/audit/egret |
1.0 GB |
|
s1 |
/etc/security/audit/egret.1 |
.98 GB |
|
s2 |
entire disk |
1.98 GB |
c0t2d1 |
s0 |
/etc/security/audit/egret.2 |
502 MB |
|
s1 |
/etc/security/audit/egret.3 |
500 MB |
|
s2 |
entire disk |
1002 MB |
Another disk holds egret's / (root) and /swap partitions.
On a diskfull workstation, including the audit administration server, at least one partition should be dedicated to local audit files, as is shown in the following example of the workstation willet:
Disk |
Slice |
Mount point |
Size (MB) |
---|---|---|---|
c0t3d0 |
s0 |
/ |
70 |
|
s1 |
swap |
180 |
|
s2 |
entire disk |
1002 |
|
s3 |
/usr |
350 |
|
s4 |
/etc/security/audit/willet |
202 |
|
s7 |
/export/home |
200 |
A rule of thumb is to assign 200 MB of space for each workstation. However, the disk space requirements at your site will be based on how much auditing you perform and may be far greater than this figure.
Fewer and large partitions are more efficient than more and smaller ones.
To add a disk to hold audit partitions after installing the workstation, see the Solaris 7 System Administration Guide, Volume II. To protect the disks with Trusted Solaris security attributes, see Trusted Solaris Administrator's Procedures.
Most commands for setting up auditing require the use of a profile shell, where commands can run with privilege. Auditing also requires the use of actions in the System_Admin and Solstice_Apps folders of Application Manager.
Log in to the workstation as yourself.
Enter your user name and press the Return key.
If the workstation is protected against anyone logging in, the Enable Logins dialog is displayed.
If you are allowed to enable logins, click the Yes button after Login:.
If you are not allowed to enable logins, ask the administrator to enable logins.
Enter your password.
Click OK to dismiss the dialog.
You are presented with the message of the day and a label builder screen. In a single-label system, the screen describes your session label. In a multilabel system, it presents you with a label builder to choose your session clearance.
Accept the default unless you have a reason not to.
Press the Return key or click the OK button and be logged in.
Assume an administrative role that you have been assigned.
As an administrative role, in a workspace at the label required by the task, launch a terminal by right-clicking the background and selecting Tools > Terminal from the menu.
Enter the clist command.
# clist |
If a list of commands prints, you are in a profile shell.
As role admin, at label admin_low
, unmount the audit partitions from the workstation by running the umount(1M) command.
For example, on the audit file server egret:
egret$ umount /etc/security/audit/egret egret$ umount /etc/security/audit/egret.1 egret$ umount /etc/security/audit/egret.2 egret$ umount /etc/security/audit/egret.3 |
Reduce reserved filesystem space on each partition to 0% with the command tunefs -m 0.
The security administrator sets the reserved filesystem space (called the minfree limit) in the audit_control(4) file.
For example, on the audit file server egret:
egret$ tunefs -m 0 /etc/security/audit/egret egret$ tunefs -m 0 /etc/security/audit/egret.1 egret$ tunefs -m 0 /etc/security/audit/egret.2 egret$ tunefs -m 0 /etc/security/audit/egret.3 |
Similarly, on the workstation willet:
willet$ umount /etc/security/audit/willet willet$ tunefs -m 0 /etc/security/audit/willet |
See the tunefs(1M) man page for more information on the advantages and disadvantages of tuning a file system.
As role secadmin, at label admin_low
, set the appropriate file permissions on every audit file system while the file system is unmounted.
For example, on the audit file server egret:
egret$ chmod -R 750 /etc/security/audit/egret egret$ chmod -R 750 /etc/security/audit/egret.1 egret$ chmod -R 750 /etc/security/audit/egret.2 egret$ chmod -R 750 /etc/security/audit/egret.3 |
On the workstation willet:
willet$ chmod -R 750 /etc/security/audit/willet |
As role secadmin, at label admin_high
, set any Trusted Solaris security attribute defaults required by your site security policy on every audit file system while the file system
is unmounted.
To run the command at the label admin_high
, you must create an admin_high
workspace. Follow the procedure in "To Create an Admin_High Workspace".
For example, the following command on the audit file server egret should be repeated for all of its audit partitions:
egret$ setfsattr -l "admin_high;admin_high" -s "[admin_high]" \ /etc/security/audit/egret |
On the workstation willet:
willet$ setfsattr -l "admin_high;admin_high" -s "[admin_high]" \ /etc/security/audit/willet |
The -l option ensures that all files created in the file system are labeled admin_high
, and the -s option sets the partition's default sensitivity label for the audit files.
See the setfsattr(1M) man page for more information.
The local audit file systems must already be in the host's /etc/vfstab file.
As admin, at label admin_high
, remount the local audit file systems.
Follow the procedure in "To Create an Admin_High Workspace" to get an admin_high
process.
For example, on the audit file server egret:
egret$ mount /etc/security/audit/egret egret$ mount /etc/security/audit/egret.1 egret$ mount /etc/security/audit/egret.2 egret$ mount /etc/security/audit/egret.3 |
Similarly, on the workstation willet:
willet$ mount /etc/security/audit/willet |
Create a directory named files at the top of each mounted audit partition.
For example, on the audit file server egret:
egret$ mkdir /etc/security/audit/egret/files egret$ mkdir /etc/security/audit/egret.1/files egret$ mkdir /etc/security/audit/egret.2/files egret$ mkdir /etc/security/audit/egret.3/files |
On the workstation willet:
willet$ mkdir /etc/security/audit/willet/files |
As role admin, at label admin_low
, enter every local audit file system in the local host's dfstab(4) file.
Click the Application Manager, double-click the System_Admin folder, and double-click the Share Filesystems action.
Enter and protect each local audit directory in the dfstab file.
For example, the audit file server egret has the following entries:
share -F nfs -o ro -d "local audit files" /etc/security/audit/egret share -F nfs -o rw=willet:audubon -d "audit willet" /etc/security/audit/egret.1 share -F nfs -o rw=grebe:audubon -d "audit grebe" /etc/security/audit/egret.2 share -F nfs -o rw=sora:audubon -d "audit sora" /etc/security/audit/egret.3
The workstation willet has the following entry:
share -F nfs -o ro -d "local audit files" /etc/security/audit/willet
Reboot the workstation by choosing Shut Down from the TP menu.
As role admin at label admin_low
, on audubon, the audit administration server, create a mount point for every audit directory
in the Trusted Solaris network.
For example, on the audit administration server audubon:
audubon$ mkdir /etc/security/audit/willet audubon$ mkdir /etc/security/audit/egret audubon$ mkdir /etc/security/audit/egret.1 ... |
As role admin, at label admin_low
, enter every audit partition on the network in the audit administration server's vfstab(4) file.
Mount audit directories with the read-write (rw) option. Mount remote partitions using the soft option.
Click the Application Manager, double-click the System_Admin folder, and double-click the Set Mount Points action.
Enter the mount points in the vfstab(4) file.
The following shows part of the vfstab file on audubon:
egret:/etc/security/audit/egret - /etc/security/audit/egret nfs - yes bg,soft,nopriv egret:/etc/security/audit/egret.1 - /etc/security/audit/egret.1 nfs - yes bg,soft,nopriv egret:/etc/security/audit/egret.2 - /etc/security/audit/egret.2 nfs - yes bg,soft,nopriv egret:/etc/security/audit/egret.3 - /etc/security/audit/egret.3 nfs - yes bg,soft,nopriv willet:/etc/security/audit/willet - /etc/security/audit/willet nfs - yes bg,soft,nopriv ...
On each workstation, create the mount points for the remote audit file servers' partitions that are used by the workstation, and enter them in the vfstab(4) file. Do this as role admin, at label admin_low
.
For example, to create the mount points on the workstation willet:
willet$ mkdir /etc/security/audit/egret willet$ mkdir /etc/security/audit/audubon.2 |
Click the Application Manager, double-click the System_Admin folder, and double-click the Set Mount Points action.
Enter the mount points in the vfstab(4) file.
The following shows part of the vfstab file on willet:
egret:/etc/security/audit/egret - /etc/security/audit/egret nfs - yes bg,soft,nopriv audubon:/etc/security/audit/audubon.2 - /etc/security/audit/audubon.2 nfs - yes nopriv
As role secadmin, at label admin_low
, enter reserve free space in the audit_control(4) file.
Enter a value between 10 and 20 on the minfree: line.
dir:/var/audit flags: minfree:20 naflags:
Write the file and quit the editor.
As role secadmin, at label admin_low
, enter audit storage locations in the audit_control file.
On the first workstation installed, enter its local audit file system as the value of the dir: line.
The following shows the audit_control file for grebe, the NIS+ root master.
dir:/etc/security/audit/grebe/files flags: minfree:20 naflags:
When the audit file servers have been installed and configured, add their (mounted) filesystem names plus their top-level directory, files to the dir: entry.
The mounted file systems are listed before the workstation's local file system, as in:
dir:/etc/security/audit/egret/files dir:/etc/security/audit/egret.1/files dir:/etc/security/audit/grebe/files flags: minfree:20 naflags:
Write the file and exit the editor.
As role secadmin in an admin_high
profile shell, execute the audit -s command to have the audit daemon re-read the audit_control
file and write audit records to the designated directory.:
$ audit -s |
By default, the audit records have been stored in /var/audit. The audit records will now be stored in the first directory in the audit_control file.
As role secadmin, at label admin_low
, enter system-wide audit flags in the audit_control(4) file.
Enter the na class in the naflags: line if your site is auditing non-attributable events.
dir:/etc/security/audit/egret/files dir:/etc/security/audit/egret.1/files dir:/etc/security/audit/grebe/files flags: minfree:20 naflags:na
Enter other classes in the flags: line if your workstation is auditing user-level events.
dir:/etc/security/audit/egret/files dir:/etc/security/audit/egret.1/files dir:/etc/security/audit/grebe/files flags:lo,ad,-all,^-fc minfree:20 naflags:na
See "Sample audit_control File" for an explanation of the syntax of the audit flags' fields.
Write the file and exit the editor.
On a distributed system, the audit flags in the audit_control file must be identical on every workstation on the network. See "To Distribute Audit Configuration Files to a Network of Workstations" for a process to distribute master copies of files to all workstations on the network.
As role secadmin, at label admin_low
, enter user exceptions to system-wide audit flags in the audit_user(4) file.
Open the System_Admin folder from the Application Manager.
Double-click the Audit Users action.
Enter the user exceptions, write the file, and exit the editor.
For example, the following entry audits the role root for logins and logouts, and never audits the fc class, even if it is being audited for the workstation. The jane entry audits her for all flags specified in the audit_control file except for successful file_read events. Null events, no, are never audited.
# User Level Audit User File # # File Format # # username:always:never # root:lo:no,fc jane:all,^+fr:no
As role admin, at label admin_low
, enter mail alias to warn of audit trouble in the Aliases database.
Add an alias called audit_warn(1M) for notifying its members of audit trouble.
For example, this audit_warn alias emails the security administrator and the system administrator when the auditing subsystem needs attention.
Alias: audit_warn Expansion: secadmin@grebe,admin@grebe
As role secadmin, at label admin_low
, enter permanent audit policy in the audit_startup(1M) file.
Create a script that calls the auditconfig(1M) command with policy options.
The sample audit_startup(1M) script below adds ACLs to audit records, halts the workstation when its audit file systems are full, and at startup, prints the current audit policy to standard i/o.
#!/bin/sh auditconfig -setpolicy +slabel,+acl auditconfig -setpolicy +ahlt auditconfig -getpolicy
Write the file and exit the editor
To run auditing in an evaluated configuration, the cnt policy cannot be turned on; the ahlt policy (the default) cannot be turned off.
During installation, as root, at label admin_low
, create a directory on the first installed workstation to hold copies of the audit configuration
files customized for your site.
The directory would include your customized versions of audit_control, audit_user, audit_startup, and audit_warn. If you have modified event-to-class mappings, it would include audit_event and audit_class. It would not include audit_data.
For example, on grebe, the first workstation in a network:
# mkdir /export/home/tmp |
Copy the modified files from the /etc/security directory to the /export/home/tmp directory.
# cp /etc/security/audit_control /export/home/tmp/audit_control # cp /etc/security/audit_user /export/home/tmp/audit_user # cp /etc/security/audit_startup /export/home/tmp/audit_startup # cp /etc/security/audit_event /export/home/tmp/audit_event |
Allocate the tape or diskette device.
Follow the procedure in "To Allocate and Deallocate Devices".
Run the tar(1) command to copy the contents of the /export/home/tmp directory to tape or to diskette.
Deallocate the tape or diskette device and follow the instructions.
Follow the procedure in "To Deallocate a Device".
As root, at label admin_low
, as each new workstation is configured, copy the files from the tape or diskette to the correct directory on the new workstation.
Prepare the directory for the new files.
# cd /etc/security # mv audit_control audit_control.orig # mv audit_startup audit_startup.orig # mv audit_warn audit_user.orig # mv audit_event audit_event.orig |
Allocate the appropriate device at the label admin_low
.
Follow the procedure in "To Allocate and Deallocate Devices".
Deallocate the device.
Follow the procedure in "To Deallocate a Device".
As role secadmin, at label admin_low
, modify the audit_control file on each new workstation with that workstation's remote and local audit file systems.
The Device Manager allocates and deallocates devices.
In the role and in a workspace at the label required, click the left mouse button on the triangle above the Style Manager icon on the Front Panel.
The Trusted Desktop subpanel is displayed.
Double-click the device to be allocated.
mag_tape_0 allocates a tape device. floppy_0 allocates a diskette.
Click OK in the label builder that appears.
The file you load will be labeled admin_low
.
Follow the directions in the window that is displayed.
Go to the workspace where the Device Manager was allocated.
Double-click the device to deallocate itis .
A window appears listing devices being deallocated.
When prompted, remove the tape or diskette from the drive and label it appropriately.
Press the Return key to dismiss the window.
Click the top left button and select Close to close the Device Allocation Manager window.