To roll out auditing, the system administrator sets up the audit administration server, the audit file servers, the local audit partitions, and what usernames are warned of audit trouble. The security administrator edits the audit_control(4) file on the NIS+ root master, and edits other audit configuration files before copying them to a central directory for distribution by tape or floppy. The audit configuration files are copied from the tape to each system as it is configured by the install team. The security administrator edits the dir: lines in the audit_control file on each system before the system is rebooted.
Administrators should understand that the Trusted Solaris environment only records the security-relevant events that it is configured to record (that is, by preselection). Therefore any subsequent audit can only consider the events recorded. If auditing is not configured to record the security-relevant events for the particular system environment in which it operates, it will not be possible to audit. This may mean that attempts to breach the security of the system go undetected, or that the administrator is unable to detect the user responsible for an attempted breach of security. Administrators should regularly analyze audit trails to check for breaches of security.
Task |
For the procedure, see… |
---|---|
Create audit partitions | |
Create audit administration server |
Trusted Solaris Installation and Configuration or Trusted Solaris Administrator's Procedures |
Install audit file servers |
Plan to install them before audit clients |
Create files directory | |
Export audit partitions (networks only) | |
Create the audit_warn alias | |
Mount audit partitions (networks only) |
Task |
For the procedure, see… |
---|---|
On first system |
|
Edit audit_control file | |
| |
Set filesystem security attributes | |
Edit audit_startup file | |
Copy for distribution (networks only) | |
Per user |
|
Set audit flags in Users Audit tab |
Task |
For the procedure, see… |
---|---|
On first system |
|
Edit audit_event file | |
Edit audit_class file | |
Copy for distribution (networks only) |