To Distribute Audit Configuration Files

In the Trusted Solaris 8 4/01 release, the audit_user file can be a NIS map or a NIS+ table, and does not need to be copied to each host. Sites that do not use a name service will want the same audit_user file on every system. If the site modifies the file on any system, it should be copied to all hosts.

1. During installation, as root, at label admin_low, create a directory on the first installed workstation to hold copies of the audit configuration files customized for your site.

   For example, on grebe, the first host in a network:

   # mkdir /export/home/tmp

2. Copy the modified files from the /etc/security directory to the /export/home/tmp directory.

   # cp /etc/security/audit_control /export/home/tmp/audit_control # cp /etc/security/audit_warn /export/home/tmp/audit_warn # cp /etc/security/audit_startup /export/home/tmp/audit_startup # cp /etc/security/audit_event /export/home/tmp/audit_event

   The directory would include your customized versions of audit_control, audit_startup, and audit_warn. If you have modified event-to-class mappings, it would include audit_event; if you have created new audit classes, it would include audit_class. It would not include audit_data.

3. Allocate the tape or diskette device.

   Follow the procedure in To Allocate and Deallocate Devices.

4. Run the tar(1) command to copy the contents of the /export/home/tmp directory to a tape or diskette.

   • To copy to tape:

     # cd /export/home/tmp # tar cv audit_control audit_warn audit_startup audit_event

   • To copy to diskette:

     # cd /export/home/tmp # tar cvf /dev/diskette \ audit_control audit_warn audit_startup audit_event

5. Deallocate the tape or diskette device and follow the instructions.

   Follow the procedure in To Deallocate a Device.

6. As root, at label admin_low, as each new host is configured, copy the files from the tape or diskette to the correct directory on the new system.

   1. Prepare the directory for the new files.

      # cd /etc/security # mv audit_control audit_control.orig # mv audit_startup audit_startup.orig # mv audit_warn audit_warn.orig # mv audit_event audit_event.orig

   2. Allocate the appropriate device at the label admin_low.

      Follow the procedure in To Allocate and Deallocate Devices.

   3. Copy the files.

      • To copy from tape:

        # tar xv audit_control audit_warn audit_startup audit_event

      • To copy from diskette:

        # tar xvf /dev/diskette \ audit_control audit_warn audit_startup audit_event

   4. Deallocate the device.

      Follow the procedure in To Deallocate a Device.

7. As role admin, at label admin_low, modify the audit_control file on each new system with that system's remote and local audit file systems.