test

System Administration Guide: Security Services

ProcedureHow to Determine That Solaris Auditing Is Running

If you believe that auditing has been activated, but no audit records are in your primary audit directory, try the following.

  1. Determine that auditing is running.

    • Verify that the c2audit kernel module is loaded.


      # modinfo | grep c2audit

      No listing indicates that auditing is not running. The following listing indicates that auditing is running:


      40  132ce90  14230 186   1  c2audit (C2 system call)

    • Verify that the audit daemon is running.

      Verify the status of the auditd service. The following listing indicates that auditing is not running:


      # svcs -x auditd
svc:/system/auditd:default (Solaris audit daemon)
 State: disabled since Fri Aug 14 19:02:35 2009
Reason: Disabled by an administrator.
   See: http://sun.com/msg/SMF-8000-05
   See: auditd(1M)
   See: audit(1M)
Impact: This service is not running.

      The following listing indicates that the audit service is running:


      # svcs auditd
STATE          STIME    FMRI
online         10:10:10 svc:/system/auditd:default

    • Verify the current audit condition.

      The following listing indicates that auditing is not running:


      # auditconfig -getcond
auditconfig: auditon(2) failed.
auditconfig: error = Operation not supported(48)

      The following listing indicates that auditing is running:


      # auditconfig -getcond
audit condition = auditing

    If the audit service is not running, enable it. For the procedure, see How to Enable the Audit Service.

  2. Verify the syntax of the audit_control file.


    # audit -v /etc/security/audit_control
audit: audit_control must have either a valid "dir:" entry 
or a valid "plugin:" entry with "p_dir:" specified.

    Correct the errors. The message syntax ok indicates that the file is syntactically correct.

  3. Verify that the audit_control file has valid values for the flags and naflags keywords.


    # grep flags /etc/security/audit_control
flags:lo
naflags:na,lp

    Supply valid values if the audit_control file has invalid values. In the preceding example, lp is an invalid class.

  4. Verify that the audit_user file has valid values for every user.


    # tail audit_user
...
# User Level Audit User File
#
# File Format
#
#	username:always:never
#
root:lo:no
admin:lp:no

    Supply valid values if the audit_user file contains invalid values. In the preceding example, lp is an invalid class.

  5. If you created a customized audit class, verify that you assigned events to the class.

    For example, the following audit_control file contains a class that Sun did not deliver:


    # grep flags /etc/security/audit_control
flags:lo,pf
naflags:na,lo

    For a description of creating the pf class, see How to Add an Audit Class.

    1. Verify that the class is defined in the audit_class file.

      The audit class mask must be unique.


      # grep pf /etc/security/audit_class
0x10000000:pf:profile command

      If the class is not defined, define it. Otherwise, remove the class from the audit_control and audit_user files.

    2. Verify that events have been assigned to the class.


      # grep pf /etc/security/audit_event
6180:AUE_prof_cmd:profile command:ua,as,pf

      If events are not assigned to the class, assign the appropriate events to this class.

  6. If the previous steps did not indicate a problem, review the system log files, /var/adm/messages and /var/log/syslog.

    1. Locate and fix the problems.

    2. Then, if the audit service is running, restart it.


      # audit -s

    3. If the audit service is not running, enable it.

      For the procedure, see How to Enable the Audit Service.