A certain amount of administrative setup needs to occur to create third-party events and classes, and view audit records logged to the audit trail. The following is a summary of the administrative setup required for the code examples in this chapter to work. Trusted Solaris Audit Administration explains these and other administrative procedures in detail.
First, check that auditing is enabled and turned on. It is enabled by default, but you can check with the auditconfig(1M) command and the getcond option. Run this command from the profile shell with the sys_audit or proc_audit_appl privilege. The setcond option turns auditing on and off.
phoenix% auditconfig -getcond |
This section shows you how to set up the audit_class, audit_event, and audit_control files. The best way to edit these files is as follows:
Assume the Security administrator role.
Launch the Application Manager.
Double click the System_Admin icon.
Double click the Audit Classes, Audit Events, or Audit Control action.
Edit each file as described in the following sections.
Create the third-party audit class ec and two audit events, AUE_second_signature and AUE_second_signature_verify. See the audit_class(4) and audit_event(4) man pages for more information on these files.
Third-party audit classes are added to the /etc/security/audit_class file in the form mask:name:description as follows:
0x00008000:ec:example class
Third-party audit events are added to the /etc/security/audit_event file and assigned one of the numbers reserved for third-party events from 32768 to 65535. This file also contains the audit event to audit class mapping. The following lines add two events and map them to the example (ec) class:
32768:AUE_second_signature:second signature requested:ec
32769:AUE_second_signature_verify:second signature added:ec
The process preselection mask specifies the audit classes to be audited by the process. To set up the preselection mask to audit for third-party events, edit the /etc/security/audit_control flag parameter as follows to audit events in the example (ec) class for success and failure.
flags:ec
Settings in audit_control(4) are global to all users in the system. To make a setting specific to a user, edit the /etc/security/audit_user file (the Audit Users action) as follows:
zelda:ec
See the audit_control(4) and audit_user(4) man pages for more information on these files and settings. Log out and log back in for the newly defined process preselection mask to take effect. You could also use auditconfig(1M) with the -setpmask option to set the process preselection mask on any existing processes, but it is probably easier to set one of these files and log out and log back in once.
All audit records including audit records generated by the auditwrite(3TSOL) routine are logged to the audit trail in a series of binary files at ADMIN_HIGH. The location of the audit files is set in the /etc/security/audit_control file, and by default is /var/audit. The praudit(1M) command reads the audit trail files and interprets the binary data as human-readable audit records.
Assume a role with the tail(1) command and the praudit(1M) command with the proc_audit_appl and proc_audit_tcb privileges. Open a terminal at ADMIN_HIGH, change directory to where the audit records are stored, and execute the tail and praudit commands as shown to view the current audit file.
This syntax works when there is only one *not_terminated* file. If there are others, delete the older ones before executing this command.
phoenix% cd /var/audit phoenix% tail -0f *not_terminated* | praudit |
The audit daemon logs audit records to the audit partition until they reach their maximum capacity and then starts a new file. The file currently written to is the not_terminated audit file. View the /etc/security/audit_data file to determine which file is current.
Put the proc_audit_appl privilege in the forced and allowed privilege sets of the executable file containing the example source code by executing setfpriv(1) from the profile shell with the file_setpriv privilege. "Assigning File Privileges using a Script" explains how to do this with a script.
phoenix% setfpriv -s -f proc_audit_appl -a proc_audit_appl executable.file |