The Logical Domains Manager uses the Solaris OS Basic Security module (BSM) auditing capability. BSM auditing provides the means to examine the history of actions and events on your control domain to determine what happened. The history is kept in a log of what was done, when it was done, by whom, and what was affected.
If you want to use this auditing capability, this section describes how to enable, verify, disable, print output, and rotate audit logs. You can find further information about BSM auditing in the Solaris 10 System Administration Guide: Security Services.
You can enable BSM auditing in one of two ways. When you want to disable auditing, be sure you use the same method that you used in enabling. The two methods are as follows:
Use the enable-bsm.fin finish script in the Solaris Security Toolkit.
The enable-bsm.fin script is not used by default by the ldm_control-secure.driver. You must enable the finish script in your chosen driver.
Use the Solaris OS bsmconv(1M) command.
Here are the procedures for both methods.
Copy the ldm_control-secure.driver to my-ldm.driver, where my-ldm.driver is the name for your copy of the ldm_control-secure.driver.
Copy the ldm_control-config.driver to my-ldm-config.driver, where my-ldm-config.driver is the name for your copy of the ldm_control-config.driver.
Copy the ldm_control-hardening.driver to my-ldm-hardening.driver, where my-ldm-hardening.driver is the name for your copy of the ldm_control-hardening.driver.
Edit my-ldm.driver to refer to the new configuration and hardening drivers, my-ldm-control.driver and my-ldm-hardening.driver, respectively.
Edit my-ldm-hardening.driver, and remove the pound sign (#) from in front of the following line in the driver.
enable-bsm.fin |
Execute my-ldm.driver.
# /opt/SUNWjass/bin/jass-execute -d my-ldm.driver |
Reboot the Solaris OS for auditing to take effect.
Add vs in the flags: line of the /etc/security/audit_control file.
Run the bsmconv(1M) command.
# /etc/security/bsmconv |
For more information about this command, refer to the bsmconv(1M) man page.
Reboot the Solaris OS for auditing to take effect.
Type the following command.
# auditconfig -getcond |
Check that audit condition = auditing appears in the output.
You can disable auditing in one of two ways, depending on how you enabled it. See Enabling and Using BSM Auditing.
Do one of the following.
Undo the Solaris Security Toolkit hardening run that enabled BSM auditing.
# /opt/SUNWjass/bin/jass-execute -u |
Run the Solaris OS bsmunconv(1M) command.
# /etc/security/bsmunconv |
Reboot the Solaris OS for the disabling of auditing to take effect.
Use one of the following to print BSM audit output:
Use the Solaris OS commands auditreduce(1M) and praudit(1M) to print audit output.
# auditreduce -c vs | praudit # auditreduce -c vs -a 20060502000000 | praudit |
Use the Solaris OS praudit -x command to print XML output.