Documentation Home
> Trusted Solaris Audit Administration
Trusted Solaris Audit Administration
Book Information
Index
Numbers and Symbols
A
B
C
D
E
F
G
H
I
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Preface
Chapter 1 Auditing Basics
Auditing Overview
The Audit Mechanism
Audit Startup
Audit Classes and Events
Audit Classes
Kernel Events
User-Level Events
Non-Attribute Events
Audit Records
Audit Flags
Definitions of Audit Flags
Audit Flag Syntax
Prefixes to Modify Previously Set Audit Flags
Audit Storage
Permissions on Audit Directories
Auditing a System
Sample audit_control File
Auditing User Exceptions
The audit_user File
Process Audit Characteristics
Process Preselection Mask
Audit ID
Audit Session ID
Terminal ID
The audit_data File
The Audit Daemon's Role
Storing Audit Data
Keeping Audit Files Manageable
The audit_warn Script
Controlling Audit Costs
Auditing Efficiently
Setting Audit Policies
Chapter 2 Auditing Setup
Planning Auditing at Your Site
Planning What to Audit
Considerations When Planning What to Audit
Planning a Site-Specific Event-to-Class Mapping
Considerations When Changing Event-to-Class Mappings
Planning Space on a Non-Networked Systems
Planning Space on a Network of Hosts
Planning the Rollout
Rolling Out Auditing at Your Site
System Administrator's Audit Setup Tasks
Security Administrator's Audit Setup Tasks - Basic
Security Administrator's Audit Setup Tasks - Advanced
Audit Shutdown and Startup (Tasks)
To Disable Auditing
To Enable Auditing
Basic Audit Setup (Tasks)
To Create Dedicated Audit Partitions
Hints
To Execute Commands that Require Privilege
To Remove Free Space (Optional)
To Protect an Audit File System
To Create an Audit Directory
To Share an Audit File System
To Mount an Audit File System
To Reserve Free Space on an Audit File System
To Specify the Audit File Storage Locations
To Set Audit Flags
To Set User Exceptions to the Audit Flags
To Warn of Audit Trouble
To Set Audit Policy Permanently
To Distribute Audit Configuration Files
To Allocate and Deallocate Devices
To Deallocate a Device
Advanced Audit Setup (Tasks)
To Add Audit Classes
To Add Audit Events
To Change Event-Class Mappings
To Set Public Object Bit
Dynamic Auditing (Tasks)
To Determine Current Audit Policy
To Create an Admin_High Workspace
To Set Audit Policy Temporarily
To Change Audit Flags Dynamically
To Stop the Audit Daemon
To Start the Audit Daemon
To Send Audit Records to a New Audit File
Chapter 3 Audit Trail Management and Analysis
The Audit Trail
How the Audit Trail Is Created
Audit Record Format
Order of Audit Tokens
Human-Readable Audit Record Format
Reading an Audit Token
Reading an Audit Record
Audit Files
Audit File Naming
How Audit File Names Are Used
Time-Stamp Format and Interpretation
Example of a File Name for a Still-Active File
Example of a Closed Audit File Name
Audit Files Management
Merging the Audit Trail
Selecting Records from the Audit Trail
Using the auditreduce and praudit Commands
Audit Files Backup and Recovery
Audit Analysis (Tasks)
To Read a Closed Audit File
To Read a Current Audit File
To Display Several Audit Files as One Audit File
To Print an Audit Log
To Display User Activity on a Selected Date
To Print User Activity on a Selected Date
To Copy Login/Logout Messages to a Single File
To Display Audit Records Created Before or After a Designated Date
To Find an Audit Event
To Combine Selected Audit Files
To Reduce Audit Files
To Change the praudit Field Separator to a Tab
To Change the praudit Token Separator to a Tab
To Perform Selections Using a praudit Script
To Back Up Audit Files
To Restore Audit Files
Chapter 4 Troubleshooting Auditing
Preventing Audit Trail Overflow
Cleaning up an Open Audit File
Using the sequence Token for Debugging
Troubleshooting (Tasks)
To Prevent Audit Trail Overflow by Planning Ahead
To Handle an Audit Filesystem Overflow
To Clean Up an Open Audit File
To Add the sequence Token to the Audit Record
To Prevent the sequence Token from Being Part of Audit Records
To Start the Audit Daemon Manually
To Prevent Computers From Being Audited Differently
To Set Audit Class Mappings for Attributable Events
To Set Audit Class Mappings for Non-Attributable Audit Events
To Find Failed Login Attempts
Appendix A Event-to-Class Mappings
Audit Events Listed by Audit Class
Events in Audit Class aa
Events in Audit Class ad
Events in Audit Class ao
Events in Audit Class ap
Events in Audit Class cl
Events in Audit Class fa
Events in Audit Class fc
Events in Audit Class fd
Events in Audit Class fm
Events in Audit Class fn
Events in Audit Class fr
Events in Audit Class fw
Events in Audit Class io
Events in Audit Class ip
Events in Audit Class lo
Events in Audit Class na
Events in Audit Class no
Events in Audit Class nt
Events in Audit Class ot
Events in Audit Class pm
Events in Audit Class ps
Events in Audit Class as
Events in Audit Class ss
Events in Audit Class ax
Events in Audit Class xa
Events in Audit Class xc
Events in Audit Class xl
Events in Audit Class xp
Events in Audit Class xs
Appendix B Audit Record Descriptions
Audit Record Structure
Audit Token Structure
acl Token
arbitrary Token
arg Token
attr Token
clearance Token
cmd Token
exec_args Token
exec_env Token
exit Token
file Token
groups Token (Obsolete)
header Token
host Token
in_addr Token
ip Token
ipc Token
ipc_perm Token
iport Token
liaison Token
newgroups Token
opaque Token
path Token
privilege Token
process Token
return Token
seq Token
slabel Token
socket Token
subject Token
text Token
trailer Token
uauth Token
upriv Token
xatom Token
xclient Token
xcolormap Token
xcursor Token
xfont Token
xgc Token
xpixmap Token
xproperty Token
xselect Token
xwindow Token
Audit Records
General Audit Record Structure
Kernel-Level Generated Audit Records
Kernel-Level Pseudo-Events
X Server Protocol Audit Records
User-Level Generated Audit Records
Appendix C Audit Reference
© 2010, Oracle Corporation and/or its affiliates