test

Trusted Solaris Audit Administration

Rolling Out Auditing at Your Site

To roll out auditing, the system administrator sets up the audit administration server, the audit file servers, the local audit partitions, and what usernames are warned of audit trouble. The security administrator edits the audit_control(4) file on the NIS+ root master, and edits other audit configuration files before copying them to a central directory for distribution by tape or floppy. The audit configuration files are copied from the tape to each system as it is configured by the install team. The security administrator edits the dir: lines in the audit_control file on each system before the system is rebooted.

Note –

Administrators should understand that the Trusted Solaris environment only records the security-relevant events that it is configured to record (that is, by preselection). Therefore any subsequent audit can only consider the events recorded. If auditing is not configured to record the security-relevant events for the particular system environment in which it operates, it will not be possible to audit. This may mean that attempts to breach the security of the system go undetected, or that the administrator is unable to detect the user responsible for an attempted breach of security. Administrators should regularly analyze audit trails to check for breaches of security.

System Administrator's Audit Setup Tasks

Table 2–1 Basic Auditing Setup by the System Administrator

Task 

For the procedure, see… 

Create audit partitions 

To Create Dedicated Audit Partitions

Create audit administration server 

Trusted Solaris Installation and Configuration or Trusted Solaris Administrator's Procedures

Install audit file servers  

Plan to install them before audit clients 

Create files directory 

To Create an Audit Directory

Export audit partitions (networks only) 

To Share an Audit File System

Create the audit_warn alias 

To Warn of Audit Trouble

Mount audit partitions (networks only) 

To Mount an Audit File System

Security Administrator's Audit Setup Tasks - Basic

Table 2–2 Basic Auditing Setup by the Security Administrator

Task 

For the procedure, see…  

On first system 

 

Edit audit_control file 

To Set Audit Flags

 

 

 

To Reserve Free Space on an Audit File System

To Specify the Audit File Storage Locations

Set filesystem security attributes 

To Protect an Audit File System

To Protect an Audit File System

Edit audit_startup file 

To Set Audit Policy Permanently

Copy for distribution (networks only) 

To Distribute Audit Configuration Files

Per user 

 

Set audit flags in Users Audit tab 

To Set User Exceptions to the Audit Flags

Security Administrator's Audit Setup Tasks - Advanced

Table 2–3 Advanced Auditing Setup by the Security Administrator

Task 

For the procedure, see…  

On first system 

 

Edit audit_event file  

To Add Audit Events

To Change Event-Class Mappings

Edit audit_class file  

To Add Audit Classes

Copy for distribution (networks only) 

To Distribute Audit Configuration Files