test

Trusted Solaris Developer's Guide

Preliminary Setup for Code Examples

A certain amount of administrative setup needs to occur to create third-party events and classes, and view audit records logged to the audit trail. The following is a summary of the administrative setup required for the code examples in this chapter to work. Trusted Solaris Audit Administration explains these and other administrative procedures in detail.

First, check that auditing is enabled and turned on. It is enabled by default, but you can check with the auditconfig(1M) command and the getcond option. Run this command from the profile shell with the sys_audit or proc_audit_appl privilege. The setcond option turns auditing on and off.


phoenix% auditconfig -getcond

Audit File Setup

This section shows you how to set up the audit_class, audit_event, and audit_control files. The best way to edit these files is as follows:

  1. Assume the Security administrator role.

  2. Launch the Application Manager.

  3. Double click the System_Admin icon.

  4. Double click the Audit Classes, Audit Events, or Audit Control action.

  5. Edit each file as described in the following sections.

Audit Classes and Audit Events

Create the third-party audit class ec and two audit events, AUE_second_signature and AUE_second_signature_verify. See the audit_class(4) and audit_event(4) man pages for more information on these files.

Audit Control (Process Preselection Mask)

The process preselection mask specifies the audit classes to be audited by the process. To set up the preselection mask to audit for third-party events, edit the /etc/security/audit_control flag parameter as follows to audit events in the example (ec) class for success and failure.

flags:ec

Settings in audit_control(4) are global to all users in the system. To make a setting specific to a user, edit the /etc/security/audit_user file (the Audit Users action) as follows:

zelda:ec

See the audit_control(4) and audit_user(4) man pages for more information on these files and settings. Log out and log back in for the newly defined process preselection mask to take effect. You could also use auditconfig(1M) with the -setpmask option to set the process preselection mask on any existing processes, but it is probably easier to set one of these files and log out and log back in once.

Viewing the Audit Trail Setup

All audit records including audit records generated by the auditwrite(3TSOL) routine are logged to the audit trail in a series of binary files at ADMIN_HIGH. The location of the audit files is set in the /etc/security/audit_control file, and by default is /var/audit. The praudit(1M) command reads the audit trail files and interprets the binary data as human-readable audit records.

Assume a role with the tail(1) command and the praudit(1M) command with the proc_audit_appl and proc_audit_tcb privileges. Open a terminal at ADMIN_HIGH, change directory to where the audit records are stored, and execute the tail and praudit commands as shown to view the current audit file.

Note -

This syntax works when there is only one *not_terminated* file. If there are others, delete the older ones before executing this command.


phoenix%  cd /var/audit
phoenix% tail -0f *not_terminated* | praudit

The audit daemon logs audit records to the audit partition until they reach their maximum capacity and then starts a new file. The file currently written to is the not_terminated audit file. View the /etc/security/audit_data file to determine which file is current.

Executable Code Setup

Put the proc_audit_appl privilege in the forced and allowed privilege sets of the executable file containing the example source code by executing setfpriv(1) from the profile shell with the file_setpriv privilege. "Assigning File Privileges using a Script" explains how to do this with a script. 


phoenix% setfpriv -s -f proc_audit_appl -a proc_audit_appl executable.file