Enabling and Using BSM Auditing

The Logical Domains Manager uses the Solaris OS Basic Security module (BSM) auditing capability. BSM auditing provides the means to examine the history of actions and events on your control domain to determine what happened. The history is kept in a log of what was done, when it was done, by whom, and what was affected.

If you want to use this auditing capability, this section describes how to enable, verify, disable, print output, and rotate audit logs. You can find further information about BSM auditing in the Solaris 10 System Administration Guide: Security Services.

You can enable BSM auditing in one of two ways. When you want to disable auditing, be sure you use the same method that you used in enabling. The two methods are as follows:

• Use the enable-bsm.fin finish script in the Solaris Security Toolkit.

  The enable-bsm.fin script is not used by default by the ldm_control-secure.driver. You must enable the finish script in your chosen driver.

• Use the Solaris OS bsmconv(1M) command.

Here are the procedures for both methods.

Use the enable-bsm.fin Finish Script

1. Copy the ldm_control-secure.driver to my-ldm.driver, where my-ldm.driver is the name for your copy of the ldm_control-secure.driver.

2. Copy the ldm_control-config.driver to my-ldm-config.driver, where my-ldm-config.driver is the name for your copy of the ldm_control-config.driver.

3. Copy the ldm_control-hardening.driver to my-ldm-hardening.driver, where my-ldm-hardening.driver is the name for your copy of the ldm_control-hardening.driver.

4. Edit my-ldm.driver to refer to the new configuration and hardening drivers, my-ldm-control.driver and my-ldm-hardening.driver, respectively.

5. Edit my-ldm-hardening.driver, and remove the pound sign (#) from in front of the following line in the driver.

   enable-bsm.fin

6. Execute my-ldm.driver.

   # /opt/SUNWjass/bin/jass-execute -d my-ldm.driver

7. Reboot the Solaris OS for auditing to take effect.

Use the Solaris OS bsmconv(1M) Command

1. Add vs in the flags: line of the /etc/security/audit_control file.

2. Run the bsmconv(1M) command.

   # /etc/security/bsmconv

   For more information about this command, refer to the bsmconv(1M) man page.

3. Reboot the Solaris OS for auditing to take effect.

Verify that BSM Auditing is Enabled

1. Type the following command.

   # auditconfig -getcond

2. Check that audit condition = auditing appears in the output.

Disable Auditing

You can disable auditing in one of two ways, depending on how you enabled it. See Enabling and Using BSM Auditing.

1. Do one of the following.

   • Undo the Solaris Security Toolkit hardening run that enabled BSM auditing.

     # /opt/SUNWjass/bin/jass-execute -u

   • Run the Solaris OS bsmunconv(1M) command.

     # /etc/security/bsmunconv

2. Reboot the Solaris OS for the disabling of auditing to take effect.

Print Audit Output

1. Use one of the following to print BSM audit output:

   • Use the Solaris OS commands auditreduce(1M) and praudit(1M) to print audit output.

     # auditreduce -c vs | praudit # auditreduce -c vs -a 20060502000000 | praudit

   • Use the Solaris OS praudit -x command to print XML output.

Rotate Audit Logs

1. Use the Solaris OS audit -n command to rotate audit logs.