Trusted Solaris Audit Administration

Basic Audit Setup (Tasks)

The following procedures describe how to set up auditing for one or more systems.

To Create Dedicated Audit Partitions

During installation, the install team creates dedicated audit partition(s) when formatting the disks.

Use the naming convention /etc/security/audit/sytem_name(.n)

A diskfull computer should have at least one local audit directory, which it can use as a directory of last resort, if unable to communicate with the audit server.

See Audit Storage for an explanation of the naming convention.

On an audit file server, most partitions hold audit files, as is shown in the following example of the egret audit file server:

Disk	Slice	Mount point	Size
c0t2d0	s0	/etc/security/audit/egret	1.0 GB
	s1	/etc/security/audit/egret.1	.98 GB
	s2	entire disk	1.98 GB
c0t2d1	s0	/etc/security/audit/egret.2	502 MB
	s1	/etc/security/audit/egret.3	500 MB
	s2	entire disk	1002 MB

Note –

Another disk holds egret's / (root) and /swap partitions.

On a diskfull computer, including the audit administration server, at least one partition should be dedicated to local audit files, as is shown in the following example of the system willet:

Disk	Slice	Mount point	Size (MB)
c0t3d0	s0	/	70
	s1	swap	180
	s2	entire disk	1002
	s3	/usr	350
	s4	/etc/security/audit/willet	202
	s7	/export/home	200

Hints

A rule of thumb is to assign 200 MB of space for each system. However, the disk space requirements at your site will be based on how much auditing you perform and may be far greater than this figure.

Fewer and large partitions are more efficient than more and smaller ones.

Note –

To add a disk to hold audit partitions after installing the system, see the Solaris 8 System Administration Guide, Volume II. To protect the disks with Trusted Solaris security attributes, see Trusted Solaris Administrator's Procedures.

To Execute Commands that Require Privilege

Most commands for setting up auditing require the use of a profile shell, where commands can run with privilege. Auditing also requires the use of actions in the System_Admin folder and the Solaris Management Console action in the Application Manager.

Log in to the computer as yourself.
1. Enter your user name and press the Return key.
  
  If the system is protected against anyone logging in, the Enable Logins dialog is displayed.
2. If you are authorized to enable logins, click the Yes button after Login:.
  
  If you are not authorized to enable logins, ask the administrator to enable logins.
3. Enter your password and click OK.
  
  You are presented with the message of the day and a label builder screen. In a single-label system, the screen describes your session label. In a multilabel system, it presents you with a label builder to choose your session clearance.
4. Accept the default unless you have a reason not to.
  
  Press the Return key or click the OK button and be logged in.

Assume an administrative role that you have been assigned.
1. Click the right mouse button in the middle of the Front Panel.
2. Choose Assume administrative Role from the menu.
3. At the password prompt, enter the password for that role.

To Remove Free Space (Optional)

As role admin, at label admin_low, unmount the audit partitions from the system by running the umount(1M) command in a profile shell.

For example, on the audit file server egret:

egret$ umount /etc/security/audit/egret
egret$ umount /etc/security/audit/egret.1
egret$ umount /etc/security/audit/egret.2
egret$ umount /etc/security/audit/egret.3

Reduce reserved filesystem space on each partition to 0% with the command tunefs -m 0.

The security administrator sets the reserved filesystem space (called the minfree limit) in the audit_control(4) file.

For example, on the audit file server egret:
egret$ tunefs -m 0 /etc/security/audit/egret egret$ tunefs -m 0 /etc/security/audit/egret.1 egret$ tunefs -m 0 /etc/security/audit/egret.2 egret$ tunefs -m 0 /etc/security/audit/egret.3
Similarly, on the system willet:
willet$ umount /etc/security/audit/willet willet$ tunefs -m 0 /etc/security/audit/willet
See the tunefs(1M) man page for more information on the advantages and disadvantages of tuning a file system.

To Protect an Audit File System

As role secadmin, at label admin_low, set the appropriate file permissions on every audit file system while the file system is unmounted.

For example, on the audit file server egret:

egret$ chmod -R 750 /etc/security/audit/egret
egret$ chmod -R 750 /etc/security/audit/egret.1
egret$ chmod -R 750 /etc/security/audit/egret.2
egret$ chmod -R 750 /etc/security/audit/egret.3

On the system willet:

willet$ chmod -R 750 /etc/security/audit/willet

As role secadmin, at label admin_high, set any Trusted Solaris security attribute defaults required by your site security policy on every audit file system while the file system is unmounted.

To run the command at the label admin_high, you must create an admin_high workspace. Follow the procedure in To Create an Admin_High Workspace.

For example, the following command on the audit file server egret should be repeated for all of its audit partitions:
egret$ setfsattr -s “[admin_high]” /etc/security/audit/egret
On the system willet:
willet$ setfsattr -s “[admin_high]” /etc/security/audit/willet
The -s option sets the partition's default sensitivity label for the audit files. See the setfsattr(1M) man page for more information.

Note –
The local audit file systems must already be in the host's /etc/vfstab file.

To Create an Audit Directory

As admin, at label admin_high, remount the local audit file systems.

Follow the procedure in To Create an Admin_High Workspace to get an admin_high process.

For example, on the audit file server egret:
egret$ mount /etc/security/audit/egret egret$ mount /etc/security/audit/egret.1 egret$ mount /etc/security/audit/egret.2 egret$ mount /etc/security/audit/egret.3
Similarly, on the system willet:
willet$ mount /etc/security/audit/willet

Create a directory named files at the top of each mounted audit partition.

For example, on the audit file server egret:

egret$ mkdir /etc/security/audit/egret/files
egret$ mkdir /etc/security/audit/egret.1/files
egret$ mkdir /etc/security/audit/egret.2/files
egret$ mkdir /etc/security/audit/egret.3/files

On the system willet:

willet$ mkdir /etc/security/audit/willet/files

To Share an Audit File System

In the role admin at label admin_low, open the Trusted Solaris Management Console, Scope=files toolbox.

Navigate to the Storage node, then the Mounts and Shares tool, and double-click the Shares tool.

Enter every local audit file system in the local host's dfstab(4) file.

Follow the online help to share the /etc/security/audit/hostname directory.

For example, the audit file server egret has the following entries:

share -F nfs -o ro -d "local audit files" /etc/security/audit/egret
share -F nfs -o rw=willet:audubon -d "audit files" /etc/security/audit/egret.1
share -F nfs -o rw=grebe:audubon -d "audit files" /etc/security/audit/egret.2
share -F nfs -o rw=sora:audubon -d "audit files" /etc/security/audit/egret.3

The system willet has the following entry:

share -F nfs -o ro -d "local audit files" /etc/security/audit/willet

To Mount an Audit File System

As role admin at label admin_low, on audubon, the audit administration server, create a mount point for every audit directory in the Trusted Solaris network.

For example, on the audit administration server audubon:
audubon$ mkdir /etc/security/audit/willet audubon$ mkdir /etc/security/audit/egret audubon$ mkdir /etc/security/audit/egret.1 …

As role admin, at label admin_low, enter every audit partition on the network in the audit administration server's vfstab(4) file.

Mount audit directories with the read-write (rw) option. Mount remote partitions using the soft option.

Click the Application Manager, double-click the System_Admin folder, and double-click the Set Mount Points action.

Enter the mount points in the vfstab(4) file.

The following shows part of the vfstab file on audubon:

# egret is the main audit file server
egret:/etc/security/audit/egret - /etc/security/audit/egret nfs - yes bg,soft,nopriv
egret:/etc/security/audit/egret.1 - /etc/security/audit/egret.1 nfs - yes bg,soft,nopriv
egret:/etc/security/audit/egret.2 - /etc/security/audit/egret.2 nfs - yes bg,soft,nopriv
egret:/etc/security/audit/egret.3 - /etc/security/audit/egret.3 nfs - yes bg,soft,nopriv
willet:/etc/security/audit/willet - /etc/security/audit/willet nfs - yes bg,soft,nopriv
…

On each system, create the mount points for the remote audit file servers' partitions that are used by the system, and enter them in the vfstab(4) file. Do this as role admin, at label admin_low.

For example, to create the mount points on the system willet:
willet$ mkdir /etc/security/audit/egret willet$ mkdir /etc/security/audit/audubon.2
1. Click the Application Manager, double-click the System_Admin folder, and double-click the Set Mount Points action.
2. Enter the mount points in the vfstab(4) file.
  
  The following shows part of the vfstab file on willet:
```
# egret is the main audit file server
egret:/etc/security/audit/egret - /etc/security/audit/egret nfs - yes bg,soft,nopriv
# audubon is the audit administration server
audubon:/etc/security/audit/audubon.2 - /etc/security/audit/audubon.2 nfs - yes nopriv
```

To Reserve Free Space on an Audit File System

As role secadmin, at label admin_low, enter reserve free space in the audit_control(4) file.
1. Open the System_Admin folder from the Application Manager.
2. Double-click the Audit Control action.

Enter a value between 10 and 20 on the minfree: line.
```
dir:/var/audit
flags:
minfree:20
naflags:
```

Write the file and quit the editor.

To Specify the Audit File Storage Locations

As role secadmin, at label admin_low, enter audit storage locations in the audit_control file.
1. Open the System_Admin folder from the Application Manager.
2. Double-click the Audit Control action.

On the first system installed, enter its local audit file system as the value of the dir: line.

The following shows the audit_control file for grebe, the NIS+ root master.
```
dir:/etc/security/audit/grebe/files
flags:
minfree:20
naflags:
```

When the audit file servers have been installed and configured, add their (mounted) filesystem names plus their top-level directory, files to the dir: entry.

The mounted file systems are listed before the system's local file system, as in:
```
dir:/etc/security/audit/egret/files
dir:/etc/security/audit/egret.1/files
dir:/etc/security/audit/grebe/files
flags:
minfree:20
naflags:
```

Write the file and exit the editor.

As role secadmin in an admin_high profile shell, execute the audit -s command to have the audit daemon re-read the audit_control file and write audit records to the designated directory.:
$ audit -s
By default, the audit records have been stored in /var/audit. The audit records will now be stored in the first directory in the audit_control file.

To Set Audit Flags

As role secadmin, at label admin_low, enter system-wide audit flags in the audit_control(4) file.
1. Open the System_Admin folder from the Application Manager.
2. Double-click the Audit Control action.

Enter the na class in the naflags: line if your site is auditing non-attributable events.

dir:/etc/security/audit/egret/files
dir:/etc/security/audit/egret.1/files
dir:/etc/security/audit/grebe/files
flags:
minfree:20
naflags:na

Enter other classes in the flags: line if your system is auditing user-level events.
```
dir:/etc/security/audit/egret/files
dir:/etc/security/audit/egret.1/files
dir:/etc/security/audit/grebe/files
flags:lo,ad,-all,^-fc
minfree:20
naflags:na
```
See Sample audit_control File for an explanation of the syntax of the audit flags' fields.

Write the file and exit the editor.

Note –
On a distributed system, the audit flags in the audit_control file must be identical on every host on the network. See To Distribute Audit Configuration Files for a process to distribute master copies of files to all hosts on the network.

To Set User Exceptions to the Audit Flags

The security administrator at label admin_low, enters user exceptions to system-wide audit flags in the user's Audit tab.

In the the role secadmin, launch the Solaris Management Console from the Application Manager and choose the toolbox appropriate for your site.

Under the User Accounts node, select a user.

In the user's Audit tab, enter the user exceptions, write the file, and exit the editor.

Follow the online help for assistance. The following example shows the format of the audit_user file.

For example, the following audit_user entry audits the role root for logins and logouts, and never audits the fc class, even if it is being audited for the system. The jane entry audits her for all flags specified in the audit_control file except for successful file_read events. Null events, no, are never audited.
```
# User Level Audit User File
#
# File Format
#
#       username:always:never
#
root:lo:no,fc
jane:all,^+fr:no
```

To Warn of Audit Trouble

As role admin, at label admin_low, create a mail alias to warn of audit trouble.
1. If you are running a name service, on the master server of the name service, launch the Solaris Management Console from the Application Manager.
2. Choose the toolbox that your site uses for administration, and select the Users node.
3. Double-click the Mailing Lists node.
4. From the Action menu, choose Add mailing list.

Create an alias called audit_warn for notifying its members of audit trouble.

For example, this audit_warn alias emails the security administrator and the system administrator when the auditing subsystem needs attention.
```
Mailing List Name: audit_warn
Mailing List Recipients: secadmin@grebe,admin@grebe
```

To Set Audit Policy Permanently

As role secadmin, at label admin_low, enter permanent audit policy in the audit_startup(1M) file.
1. Open the System_Admin folder from the Application Manager.
2. Double-click the Audit Startup action.

Create a script that calls the auditconfig(1M) command with policy options.

The sample audit_startup(1M) script below adds ACLs to audit records, halts the computer when its audit file systems are full, and at startup, prints the current audit policy to standard i/o.
```
#!/bin/sh
auditconfig -setpolicy +slabel,+acl
auditconfig -setpolicy +ahlt
auditconfig -getpolicy
```

Write the file and exit the editor

Caution –
To run auditing in an evaluated configuration, the cnt policy cannot be turned on; the ahlt policy (the default) cannot be turned off.

To Distribute Audit Configuration Files

In the Trusted Solaris 8 4/01 release, the audit_user file can be a NIS map or a NIS+ table, and does not need to be copied to each host. Sites that do not use a name service will want the same audit_user file on every system. If the site modifies the file on any system, it should be copied to all hosts.

During installation, as root, at label admin_low, create a directory on the first installed workstation to hold copies of the audit configuration files customized for your site.

For example, on grebe, the first host in a network:
# mkdir /export/home/tmp

Copy the modified files from the /etc/security directory to the /export/home/tmp directory.

# cp /etc/security/audit_control /export/home/tmp/audit_control
# cp /etc/security/audit_warn /export/home/tmp/audit_warn
# cp /etc/security/audit_startup /export/home/tmp/audit_startup
# cp /etc/security/audit_event /export/home/tmp/audit_event

The directory would include your customized versions of audit_control, audit_startup, and audit_warn. If you have modified event-to-class mappings, it would include audit_event; if you have created new audit classes, it would include audit_class. It would not include audit_data.

Allocate the tape or diskette device.

Follow the procedure in To Allocate and Deallocate Devices.

Run the tar(1) command to copy the contents of the /export/home/tmp directory to a tape or diskette.

To copy to tape:

# cd /export/home/tmp
# tar cv audit_control audit_warn audit_startup audit_event

To copy to diskette:

# cd /export/home/tmp
# tar cvf /dev/diskette \
audit_control audit_warn audit_startup audit_event

Deallocate the tape or diskette device and follow the instructions.

Follow the procedure in To Deallocate a Device.

As root, at label admin_low, as each new host is configured, copy the files from the tape or diskette to the correct directory on the new system.
1. Prepare the directory for the new files.
  # cd /etc/security # mv audit_control audit_control.orig # mv audit_startup audit_startup.orig # mv audit_warn audit_warn.orig # mv audit_event audit_event.orig
2. Allocate the appropriate device at the label admin_low.
  
  Follow the procedure in To Allocate and Deallocate Devices.
3. Copy the files.
  - To copy from tape:
    # tar xv audit_control audit_warn audit_startup audit_event
  - To copy from diskette:
    # tar xvf /dev/diskette \ audit_control audit_warn audit_startup audit_event
4. Deallocate the device.
  
  Follow the procedure in To Deallocate a Device.

As role admin, at label admin_low, modify the audit_control file on each new system with that system's remote and local audit file systems.

To Allocate and Deallocate Devices

The Device Manager allocates and deallocates devices.

In an administrative role workspace at the label required, click the left mouse button on the triangle above the Style Manager icon on the Front Panel.

The Tools subpanel is displayed.

Click the Device Manager icon once.

Double-click the device to be allocated.

mag_tape_0 allocates a tape device. floppy_0 allocates a diskette.

Click OK in the label builder that appears.

The file you load will be labeled admin_low.

To Deallocate a Device

Go to the workspace where the Device Manager was allocated.

Double-click the device to deallocate it.

A window appears listing devices being deallocated.

When prompted, remove the tape or diskette from the drive and label it appropriately.

Click the top left button and select Close to close the Device Allocation Manager window.