test

Trusted Solaris Audit Administration

Advanced Audit Setup (Tasks)

The following procedures describe how to modify the default audit classes and audit events, and to set a public object bit on files and folders to reduce unnecessary auditing.

To Add Audit Classes

  1. As role secadmin, at label admin_low, add audit classes in the audit_classes file.

    1. Open the System_Admin folder from the Application Manager.

    2. Double-click the Audit Classes action.

  2. Add the classes you planned in Planning a Site-Specific Event-to-Class Mapping, write the file, and exit the editor.

    Caution – Caution –

    Do not reassign the hexadecimal numbers already in use.

  3. As role secadmin, at label admin_low, open the Audit Events action to add the new class to each event in the new class.

    For events in more than one class, use a comma (no space) to delimit the classes.

  4. Write the file and exit the editor.

  5. Make any changes to audit_control(4) and audit_user(4) to audit the events in the new classes.

    See To Set Audit Flags and To Set User Exceptions to the Audit Flags for details of the procedures.

    Note –

    On a distributed system, the audit_class, audit_event, audit_startup, and audit_user files must be identical on every host on the network. See To Distribute Audit Configuration Files for a process to distribute master copies of files to all hosts on the network.

  6. Reboot, or as secadmin in an admin_low profile shell, run the auditconfig(1M) command with appropriate options.

    In the following example, the audit session ID is 159, and the new classes are gr (for graphic applications) and db (for databases applications).


    $ auditconfig -setsmask 159 gr,db

To Add Audit Events

  1. As role secadmin, at label admin_low, add audit events in the audit_event(4) file.

    1. Open the System_Admin folder from the Application Manager.

    2. Double-click the Audit Events action.

  2. Add the events you planned in Planning a Site-Specific Event-to-Class Mapping, write the file, and exit the editor.

    For events in more than one class, use a comma (no space) to delimit the classes.

    Note –

    Third-party applications can use the event numbers 32768 through 65536 only. See for more information about event number assignment.

  3. Make any changes to audit_control(4) and audit_user(4) to audit the events in the new classes.

    See To Set Audit Flags and To Set User Exceptions to the Audit Flags for details of the procedures.

    Note –

    On a distributed system, the audit_class, audit_event, audit_startup, and audit_user files must be identical on every host on the network. See To Distribute Audit Configuration Files for a process to distribute master copies of files to all hosts on the network.

  4. Reboot, or as secadmin in an admin_low profile shell, run the auditconfig(1M) command with appropriate options.

    In the following example, the audit session ID is 159, and the new events are in the classes gr (for graphic applications) and db (for databases applications).


    $ auditconfig -setsmask 159 gr,db

To Change Event-Class Mappings

  1. Change event-class mappings in the audit_control(4) file.

    1. As role secadmin, at label admin_low, open the System_Admin folder from the Application Manager.

    2. Double-click the Audit Events action.

  2. Edit the file to change the class mapping for each event to be changed, write the file, and exit the editor.

    If you are changing events above number 2048, this is all you need to do.

    Note –

    On a distributed system, the audit_class, audit_event, audit_startup, and audit_user files must be identical on every host on the network. See To Distribute Audit Configuration Files for a process to distribute master copies of files to all hosts on the network.

  3. If you modify a kernel event mapping (numbers 1 to 2047), restart auditing by doing one of the following:

    • Reboot the system, or

    • As role secadmin, at label admin_low, change the runtime event-to-class mappings:


      $ auditconfig -conf

To Set Public Object Bit

Setting the public object bit can reduce the size of the audit trail when the audit record includes successful accesses of files or directories. Successful viewing, listing, or listing of a file or directory's attributes will not be written to the audit record when the file's public object bit is set.

    As role secadmin, at label admin_low, set the public object bit on a local directory of publicly accessible files using the setfattrflag(1) command with the -p 1 option.

    The following command sets the public object bit on the /etc directory. A search of the /etc directory, or a read of files in the /etc directory will not result in an audit record.


    $ setfattrflag -p 1 /etc
$ getfattrflag /etc
 Multilevel directory: no
 Single level directory: no
          Public object: yes