System Administration Guide: Security Services

Configuring Audit Files

Before you enable auditing on your network, you may want to edit the audit configuration files. Many of the following procedures require that you restart the service or reboot the local system. You should make as many of these changes as possible before you start the service.

Configuring Audit Files (Task Map)

The following task map describes the tasks in this section.

Task	Description	For Instructions
Change audit flags	Defines the location of the audit directories and system-wide flags for the audit service.	How to Change Audit Flags
Change audit characteristics for users	Selects specific auditing for a user.	How to Change Users' Audit Characteristics
Change audit classes	Selects which events, classes, and users require auditing.	How to Change Audit Classes
Change audit events	Adds new events to the auditing service.	How to Change Audit Events

How to Change Audit Flags

Audit flags are defined in the /etc/security/audit_control file. The audit flags select which classes of audit records are written to the audit log.

Become superuser or assume an equivalent role.

(Optional) Save a backup copy of the audit_control file.

# cp /etc/security/audit_control /etc/security/audit_control.save

Add new entries to the audit_control file.

Each entry has the following format:
title:string
title

Defines the type of line. Options are dir:, flags:, minfree:, or naflags:.

string

Lists specific data that is associated with the line type

Instruct the audit daemon to read the new audit_control file.

The audit daemon stores the information internally. To use the new information, either reboot the system or type the following command:
# audit -s

Example — Changing Audit Trail File Locations

Lines that start with dir: define which audit file systems can be used to store audit trail files. In this example, two additional locations for audit trail files are defined.

# cat /etc/security/audit_control
dir:/etc/security/audit/host.1/files
dir:/etc/security/audit/host.2/files
dir:/var/audit
flags:
minfree:10
naflags:lo

Example — Changing Audit Flags for All Users

The flags line in the audit_control file defines which classes of events are audited for all users on the host. The classes are separated by commas, with no spaces. In this example, the events in the lo class are audited for all users.

# cat /etc/security/audit_control
dir:/var/audit
flags:lo
minfree:10
naflags:lo

Example — Changing the Soft Limit for Warnings

The minfree line in the audit_control file defines the minimum free-space level for all audit file systems. In this example, the soft limit is set so that a warning is issued when only 10 percent of the file system is available.

# cat /etc/security/audit_control
dir:/var/audit
flags:
minfree:10
naflags:lo

Example — Changing Auditing of Nonattributable Events

The naflags: line in the audit_control file defines which classes of nonattributable events are audited for all users on the host. The classes are separated by commas, with no spaces. In this example, the na event class was added.

# cat /etc/security/audit_control
dir:/var/audit
flags:
minfree:10
naflags:lo,na

How to Change Users' Audit Characteristics

Definitions for each user can be stored in the /etc/security/audit_user file.

Become superuser or assume an equivalent role.

(Optional) Save a backup copy of the audit_user file.

# cp /etc/security/audit_user /etc/security/audit_user.save

Add new entries to the audit_user file.

Each entry has the following format:

username:always:never

`username`	Selects the name of the user to be audited
`always`	Selects the list of audit classes that should always be audited
`never`	Selects the list of audit classes that should never be audited

You can specify multiple flags by separating the audit classes with commas. For more information about audit flags, see Audit Flags.

Make the new data available to the BSM service.

To use the new data, either reboot the system, or have the user log out and back in again.

Example — Changing Auditing for One User

This example shows an entry that causes audit records to be generated anytime the user sue accesses any programs in the login class (lo).

# grep sue /etc/security/audit_user
sue:lo:

Example — Creating an Audit Admin Login

If all the audit partitions are full, then it could be impossible to log in to a host. If all logins are audited, then the fact that the audit partitions are full would prevent anyone from completing a login. To avoid this situation, you can set up a special login that is not audited. This new login would allow you to log in to the host even if the audit partitions are full. Then, you could fix the problem with the full partitions. In this example, the user auditadm is defined so that no auditing takes place.

# grep auditadm /etc/security/audit_user
auditadmin:no:yes

Note –

The user login that is selected to serve as the audit admin login might need to be monitored in another way.

How to Change Audit Classes

Audit classes are defined in the /etc/security/audit_class file.

Become superuser or assume an equivalent role.

(Optional) Save a backup copy of the audit_class file.

# cp /etc/security/audit_class /etc/security/audit_class.save

Add new entries to the audit_class file.

Each entry has the following format:
0xnumber:name:description
number

Defines the unique audit class mask

name

Defines the two-letter name of the audit class

description

Defines the descriptive name of the audit class

Make the new data available to the BSM service.

To use the new data, either reboot the system, or type the following command:
# auditconfig -conf

Example — Setting a New Audit Class

In step 3, add an entry that resembles the following to set a new audit class called de:

0x00010000:de:device allocation

How to Change Audit Events

Audit event definitions are stored in the /etc/security/audit_event file. A record is generated only after the event definition has been created and a user-level action generates the event.

Become superuser or assume an equivalent role.

(Optional) Save a backup copy of the audit_event file.

# cp /etc/security/audit_event /etc/security/audit_event.save

Add new entries to the audit_event file.

Each entry has the following format:

number:name:description:classes

`number`	Defines a unique audit event number, which must start after 32768.
`name`	Defines the unique audit event name.
`description`	Describes the audit event. Often includes the name of the man page for the audit event
`classes`	Selects the audit classes that include this event.

Make the new data available to the BSM service.

To use the new data, either reboot the system, or type the following command:
# auditconfig -conf

Example — Adding a New Audit Event

This example shows an entry that defines a new audit event for a local application.

# grep localapp /etc/security/audit_event
32769:aue_localapp:localapp(1):ap

`title`	Defines the type of line. Options are `dir:`, `flags:`, `minfree:`, or `naflags:`.
`string`	Lists specific data that is associated with the line type

`number`	Defines the unique audit class mask
`name`	Defines the two-letter name of the audit class
`description`	Defines the descriptive name of the audit class