Configuring the Audit Service
This section covers the tasks that are required to configure and enable the audit service.
Configuring the Audit Service (Task Map)
The following task map describes the tasks that are required to configure auditing.
|
Task |
Description |
For Instructions |
|---|---|---|
|
1. Plan for auditing |
Resolve configuration issues before you configure auditing. | |
|
2. Create audit partitions |
Creates the partitions for the audit files. | |
|
3. Create the audit_warn alias |
Defines who should get email warnings. | |
|
4. (Optional) Change audit policies |
Defines additional audit records or auditing conditions. | |
|
5. (Optional) Change the audit configuration files |
Selects which events, classes, and users require auditing. | |
|
6. Enable auditing |
Turns on auditing. | |
|
7. (Optional) Disable auditing |
Turns off auditing. | |
|
8. (Optional) Start device allocation |
Selects which removable media should be accessed in a more secure mode. |
How to Create Partitions for Auditing
The following procedure shows how to create partitions for auditing, as well as the corresponding file systems and directories. Skip steps as necessary, depending on if you already have an empty partition, or if you have already mounted an empty file system.
-
Become superuser or assume an equivalent role.
-
Determine the amount of disk space that is required.
Assign at least 200 Mbytes of disk space per host. However, the disk space requirements are based on how much auditing you perform. So, your requirements might be far greater than this figure. Remember to include a partition for a directory of last resort.
-
Create dedicated audit partitions, as needed.
This step is most easily done during server installation. You can also create the partitions on disks that have not yet been mounted on the server. For complete instructions on how to create the partitions, see “Creating a UFS File System” in System Administration Guide: Basic Administration.
newfs /dev/rdsk/cwtxdysz
Where /dev/rdsk/cwtxdysz is the raw device name for the partition.
If the local host is to be audited, create an audit directory of last resort for it as well.
-
Create mount points for each new partition.
mkdir /var/audit/server-name.n
Where server-name.n is the name of the server and a number that identifies each partition. The number is optional, but the number is useful when there are many audit directories.
-
Add entries to automatically mount the new partitions.
Add a line to the /etc/vfstab file that resembles the following:
/dev/dsk/cwtxdysz /dev/rdsk/cwtxdysz /var/audit/server-name.n ufs 2 yes
-
(Optional) Remove the minimum free space threshold on each partition.
If you use the default configuration, a warning will be generated when the directory is 80 percent full, so there is no reason to reserve free space on the partition.
tunefs -m 0 /var/audit/server-name.n
-
Mount the new audit partitions.
mount /var/audit/server-name.n
-
Create audit directories on the new partitions.
mkdir /var/audit/server-name.n/files
-
Correct the permissions on the mount points and new directories.
chmod -R 750 /var/audit/server-name.n/files
-
(Optional) On a file server, define the file systems to be made available to other hosts.
Often, disk farms are installed to store the audit records. If an audit directory is to be used by several systems, then the directory must be shared through the NFS service. Add a entry resembling the following for each directory to the /etc/dfs/dfstab file.
share -F nfs /var/audit/server-name.n/files
-
(Optional) On a file server, restart the NFS service.
If this command the first share command or set of share commands that you have initiated, it is probable that the NFS daemons are not running. The following commands kill the daemons and restart them. Refer to “Setting Up NFS Services” in System Administration Guide: Resource Management and Network Services for more information about the NFS service.
# /etc/init.d/nfs.server stop # /etc/init.d/nfs.server start
Example — Creating an Audit Directory of Last Resort
All systems that run the auditing service should have a local file system that can be used if no other file system is available. In this example, a file system is being added to a system named egret. Since this file system is only used locally, none of the steps for a file server are followed.
# newfs /dev/rdsk/c0t2d0 # mkdir /var/audit/egret # grep egret /etc/vfstab /dev/dsk/c0t2d0s1 /dev/rdsk/c0t2d0s1 /var/audit/egret ufs 2 yes - # tunefs -m 0 /var/audit/egret # mount /var/audit/egret # mkdir /var/audit/egret/files # chmod -R 750 /var/audit/egret/files |
Example — Creating New Audit Partitions
In this example, a new file system is created on two new disks that are to be used by other systems in the network.
# newfs /dev/rdsk/c0t2d0 # newfs /dev/rdsk/c0t2d1 # mkdir /var/audit/egret.1 # mkdir /var/audit/egret.2 # grep egret /etc/vfstab /dev/dsk/c0t2d0s1 /dev/rdsk/c0t2d0s1 /var/audit/egret.1 ufs 2 yes - /dev/dsk/c0t2d1s1 /dev/rdsk/c0t2d1s1 /var/audit/egret.2 ufs 2 yes - # tunefs -m 0 /var/audit/egret.1 # tunefs -m 0 /var/audit/egret.2 # mount /var/audit/egret.1 # mount /var/audit/egret.2 # mkdir /var/audit/egret.1/files # mkdir /var/audit/egret.2/files # chmod -R 750 /var/audit/egret.1/files /var/audit/egret.2/files # grep egret /etc/dfs/dfstab share -F nfs /var/audit/egret.1/files share -F nfs /var/audit/egret.2/files # /etc/init.d/nfs.server stop # /etc/init.d/nfs.server start |
How to Configure the audit_warn Alias
The audit_warn script generates mail to an alias called audit_warn. To send this mail to a valid email address, you can follow either of the following steps:
-
Become superuser or assume an equivalent role.
-
(Optional) Swap the audit_warn alias with another alias.
One option is to edit the audit_warn script and replace audit_warn with another alias. After you swap audit_warn for root, the line that sends the email message would resemble the following:
/usr/ucb/mail -s "$SUBJECT" root
Ten lines in the script require this change.
-
(Optional) Redirect the audit_warn email to another alias.
The other option is to redirect the email in the /etc/mail/aliases file. In this case, you would add an alias similar to the following to the local /etc/mail/aliases file or to the mail_aliases database in the name space. The new entry would resemble the following if the email were to be redirected to the root alias:
audit_warn: root
How to Enable or Disable an Audit Policy
Audit policies determine the characteristics of the audit records for the local host. Audit policies are either enabled or disabled for a particular configuration. By default, all audit policies are disabled. You need to enable any audit policies that you want to use. For a description of each policy, see Audit Policies.
-
Become superuser or assume an equivalent role.
-
(Optional) Review the existing audit policies.
Ensure that you are aware of all the policies that are being used before you change any. The following command lists the enabled policies:
# auditconfig -lspolicy
-
Enable or disable the audit policy.
auditconfig -setpolicy flagpolicyname
flag
A + enables the policy. A – disables the policy
policyname
Selects the policy to be enabled or disabled
The policy is in effect until the next boot, or until the policy is modified by the auditconfig-setpolicy command.
Example — Setting the cnt Policy
The cnt policy can be set so that if the audit partitions become full, then processes are not blocked. The records are discarded when the partitions are full, but the system still functions even though the auditing process is not recording the events. The cnt policy should not be set if security is paramount, since unrecorded events can occur if the file system is full.
The following command enables the cnt policy:
# auditconfig -setpolicy +cnt |
For a secure site, you should enable the cnt policy in an appropriate startup file.
How to Enable Auditing
This task starts the auditing service. If the service has been configured, then rebooting the host also starts the service.
-
Become superuser or assume an equivalent role.
-
Bring the system into single-user mode.
# /etc/telinit 1
See the telinit(1M) man page for more information.
-
Run the script to configure the system to run auditing.
Go to the /etc/security directory, and execute the bsmconv script there. The script sets up a standard Solaris machine to run BSM after a reboot. See the bsmconv(1M) man page.
# cd /etc/security # ./bsmconv
-
Bring the system into multiuser mode.
# /etc/telinit 6
The startup file /etc/security/audit_startup causes the audit daemon to run automatically when the system enters multiuser mode.
Note –The bsmconv script adds a line to the /etc/system file that prevents users from aborting the system with the Stop-A keyboard sequence. To retain the ability to abort the system with the Stop-A keyboard sequence, you must comment out the line in the /etc/system file that reads: set abort_enable=0.
How to Disable Auditing
If BSM is no longer required at some point, you can disable it by running the bsmunconv command. See the bsmconv(1M) man page.
-
Become superuser or assume an equivalent role.
-
Bring the system into single-user mode.
# /etc/telinit 1
See the telinit(1M) man page for more information.
-
Run the script to disable auditing.
Change to the /etc/security directory, and execute the bsmunconv script there.
# cd /etc/security # ./bsmunconv
-
Bring the system into multiuser mode.
# /etc/telinit 6
Note –The bsmunconv script removes the line in the /etc/system file that allows users to abort the system with the Stop-A keyboard sequence. If you want to continue to prevent users from aborting the system with the Stop-A keyboard sequence after you run the bsmunconv script, you must reenter into the /etc/system file the line that reads: set abort_enable=0.
- © 2010, Oracle Corporation and/or its affiliates