This procedure enables audits every zone identically. This method requires the least computer overhead and administrative resources.
Configure the global zone for auditing.
Complete the tasks in Configuring Audit Files (Task Map).
Complete the tasks in Configuring and Enabling the Audit Service (Task Map), with the following exceptions.
Do not enable perzone audit policy.
Do not enable the audit service. You enable the audit service after you have configured the non-global zones for auditing.
Copy the audit configuration files from the global zone to every non-global zone.
Copy any of the following files that you have edited: audit_class, audit_control, audit_event, audit_user. Do not copy audit_startup or audit_warn. You do not have to copy files that you have not edited.
You have two options. As superuser, you can copy the files, or loopback mount the files. The non-global zone must be running.
Copy the files.
From the global zone, list the /etc/security directory in the non-global zone.
# ls /zone/zonename/etc/security/ |
Copy the audit configuration files to the zone's /etc/security directory.
# cp /etc/security/audit-file /zone/zonename/etc/security/audit-file |
Later, if you modify an audit configuration file in the global zone, you re-copy the file to the non-global zones.
Loopback mount the configuration files.
From the global zone, halt the non-global zone.
# zoneadm -z non-global-zone halt |
Create a read-only loopback mount for every audit configuration file that you modified in the global zone.
# zonecfg -z non-global-zone add fs set special=/etc/security/audit-file set dir=/etc/security/audit-file set type=lofs add options [ro,nodevices,nosetuid] end exit |
To make the changes effective, boot the non-global zone.
# zoneadm -z non-global-zone boot |
You can also reboot the system.
Later, if you modify an audit configuration file in the global zone, you reboot the system to refresh the loopback-mounted files in the non-global zones.
In this example, the system administrator has modified the audit_class, audit_event, audit_control, audit_user, audit_startup, and audit_warn files.
The audit_startup and audit_warn files are read in the global zone only, so do not have to be loopback mounted into the non-global zones.
On this system, machine1, the administrator has created two non-global zones, machine1–webserver and machine1–appserver. The administrator has finished customizing the audit configuration files. If the administrator later modifies the files, the system will be rebooted to make the changes effective.
# zoneadm -z machine1-webserver halt # zoneadm -z machine1-appserver halt # zonecfg -z machine1-webserver add fs set special=/etc/security/audit_class set dir=/etc/security/audit_class set type=lofs add options [ro,nodevices,nosetuid] end add fs set special=/etc/security/audit_event set dir=/etc/security/audit_event set type=lofs add options [ro,nodevices,nosetuid] end add fs set special=/etc/security/audit_control set dir=/etc/security/audit_control set type=lofs add options [ro,nodevices,nosetuid] end add fs set special=/etc/security/audit_user set dir=/etc/security/audit_user set type=lofs add options [ro,nodevices,nosetuid] end exit # zonecfg -z machine1-appserver add fs set special=/etc/security/audit_class set dir=/etc/security/audit_class set type=lofs add options [ro,nodevices,nosetuid] end ... exit |
When the zones are rebooted, the audit configuration files are read-only in the zones.