test

System Administration Guide: Security Services

Configuring the Auditing Service (Task Map)

This section covers the tasks that are required to configure and enable the auditing service. The following task map describes the tasks that are required to configure the auditing service.

Task 

Description 

For Instructions 

1. (Optional) Change the audit configuration files 

Selects which events, classes, and users require auditing. 

Configuring Audit Files (Task Map)

2. Create audit partitions 

Creates the partitions for the audit files. 

How to Create Partitions for Auditing

3. Create the audit_warn alias

Defines who should get email warnings. 

How to Configure the audit_warn Alias

4. (Optional) Change audit policies 

Defines additional audit records or auditing conditions. 

How to Enable or Disable an Audit Policy

5. Enable auditing 

Turns on auditing. 

How to Enable Auditing

6. (Optional) Disable auditing 

Turns off auditing. 

How to Disable Auditing

7. (Optional) Start device allocation 

Selects which removable media should be accessed in a more secure mode. 

Managing Device Allocation (Tasks)

How to Create Partitions for Auditing

The following procedure shows how to create partitions for audit files, as well as the corresponding file systems and directories. Skip steps as necessary, depending on if you already have an empty partition, or if you have already mounted an empty file system.

  1. Become superuser or assume an equivalent role.

  2. Determine the amount of disk space that is required.

    Assign at least 200 Mbytes of disk space per host. However, the disk space requirements are based on how much auditing you perform. So, your requirements might be far greater than this figure. Remember to include a partition for a directory of last resort.

  3. Create dedicated audit partitions, as needed.

    This step is most easily done during server installation. You can also create the partitions on disks that have not yet been mounted on the server. For complete instructions on how to create the partitions, see “Creating a UFS File System” in System Administration Guide: Basic Administration.


    # newfs /dev/rdsk/cwtxdysz

    where /dev/rdsk/cwtxdysz is the raw device name for the partition.

    If the local host is to be audited, create an audit directory of last resort for the local host as well.

  4. Create mount points for each new partition.


    # mkdir /var/audit/server-name.n

    Where server-name.n is the name of the server plus a number that identifies each partition. The number is optional, but the number is useful when there are many audit directories.

  5. Add entries to automatically mount the new partitions.

    Add a line to the /etc/vfstab file that resembles the following:


    /dev/dsk/cwtxdysz /dev/rdsk/cwtxdysz /var/audit/server-name.n   ufs  2  yes

  6. (Optional) Remove the minimum free space threshold on each partition.

    If you use the default configuration, a warning is generated when the directory is 80 percent full. The warning removes the reason to reserve free space on the partition.


    # tunefs -m 0 /var/audit/server-name.n

  7. Mount the new audit partitions.


    # mount /var/audit/server-name.n

  8. Create audit directories on the new partitions.


    # mkdir /var/audit/server-name.n/files

  9. Correct the permissions on the mount points and new directories.


    # chmod -R 750 /var/audit/server-name.n/files

  10. (Optional) On a file server, define the file systems to be made available to other hosts.

    Often, disk farms are installed to store the audit records. If an audit directory is to be used by several systems, then the directory must be shared through the NFS service. Add an entry that resembles the following for each directory to the /etc/dfs/dfstab file.


    share -F nfs /var/audit/server-name.n/files

  11. (Optional) On a file server, restart the NFS service.

    If this command is the first share command or set of share commands that you have initiated, the NFS daemons are probably not running. The following commands kill the daemons and restart the daemons. Refer to “Setting Up NFS Services” in System Administration Guide: Resource Management and Network Services for more information about the NFS service.


    # /etc/init.d/nfs.server stop
# /etc/init.d/nfs.server start

Example—Creating an Audit Directory of Last Resort

All systems that run the auditing subsystem should have a local file system that can be used if no other file system is available. In this example, a file system is being added to a system that is named egret. Since this file system is only used locally, none of the steps for a file server are followed.


# newfs /dev/rdsk/c0t2d0
# mkdir /var/audit/egret
# grep egret /etc/vfstab
/dev/dsk/c0t2d0s1  /dev/rdsk/c0t2d0s1  /var/audit/egret ufs  2  yes  -
# tunefs -m 0 /var/audit/egret
# mount /var/audit/egret
# mkdir /var/audit/egret/files
# chmod -R 750 /var/audit/egret/files

Example—Creating New Audit Partitions

In this example, a new file system is created on two new disks that are to be used by other systems in the network.


# newfs /dev/rdsk/c0t2d0
# newfs /dev/rdsk/c0t2d1
# mkdir /var/audit/egret.1
# mkdir /var/audit/egret.2
# grep egret /etc/vfstab
/dev/dsk/c0t2d0s1  /dev/rdsk/c0t2d0s1  /var/audit/egret.1 ufs  2  yes  -
/dev/dsk/c0t2d1s1  /dev/rdsk/c0t2d1s1  /var/audit/egret.2 ufs  2  yes  -
# tunefs -m 0 /var/audit/egret.1
# tunefs -m 0 /var/audit/egret.2
# mount /var/audit/egret.1
# mount /var/audit/egret.2
# mkdir /var/audit/egret.1/files
# mkdir /var/audit/egret.2/files
# chmod -R 750 /var/audit/egret.1/files /var/audit/egret.2/files
# grep egret /etc/dfs/dfstab
 share -F nfs /var/audit/egret.1/files
 share -F nfs /var/audit/egret.2/files
# /etc/init.d/nfs.server stop
# /etc/init.d/nfs.server start

How to Configure the audit_warn Alias

The audit_warn script generates mail to an alias that is called audit_warn. To send this mail to a valid email address, you can follow either of the following options:

  1. Become superuser or assume an equivalent role.

  2. Configure the audit_warn mail alias.

    OPTION 1 –

    Replace the audit_warn alias with another mail account in the audit_warn script.

    After you replace audit_warn with the root account, the line that sends the email message would resemble the following:


    /usr/ucb/mail -s "$SUBJECT" root

    Ten lines in the audit_warn script require this change.

    OPTION 2 –

    Redirect the audit_warn email to another mail account.

    In this case, you would add the audit_warn alias to the appropriate mail aliases file. You could add the alias to the local /etc/mail/aliases file or to the mail_aliases database in the name space. The new entry would resemble the following if the root mail account was made a member of the audit_warn alias:


    audit_warn: root

How to Enable or Disable an Audit Policy

Audit policies determine the characteristics of the audit records for the local host. By default, all audit policies are disabled. You need to enable any audit policies that you want to use. For a description of each policy, see Audit Policies.

You can inspect, enable, or disable the current audit policy with the auditon() system call at the program level. Or, to do the same task, you can run the auditconfig command. You can also modify the policy options to the auditconfig command in the audit_startup script to make more permanent audit policy changes.

  1. Become superuser or assume an equivalent role.

  2. (Optional) Review the existing audit policies.

    Ensure that you are aware of all the policies that are being used before you change any policies. The following command lists the enabled policies:


    # auditconfig -lspolicy

  3. Enable or disable the audit policy.


    # auditconfig -setpolicy flagpolicyname
    flag

    A flag value of + enables the policy. A flag value of - disables the policy.

    policyname

    Selects the policy to be enabled or to be disabled.

    The policy is in effect until the next boot, or until the policy is modified by the auditconfig -setpolicy command.

Example—Setting the cnt Policy

The cnt policy can be set so that if the audit partitions become full, then processes are not blocked. The records are discarded when the partitions are full, but the system still functions. The cnt policy keeps a count of the number of discarded audit records. The cnt policy should not be set if security is paramount, since unrecorded events can occur if the file system is full.

The following command enables the cnt policy:


# auditconfig -setpolicy +cnt

To maintain the policy across reboots, you should place the auditconfig -setpolicy +cnt command in the audit_startup file.

How to Enable Auditing

This task starts the auditing service. If the service has been configured, then rebooting the host also starts the service.

  1. Become superuser or assume an equivalent role.

  2. Bring the system into single-user mode.


    # /etc/telinit 1

    See the telinit(1M) man page for more information.

  3. Run the script to configure the system to run auditing.

    Go to the /etc/security directory, and execute the bsmconv script there. The script sets up a standard Solaris machine to run auditing after a reboot. See the bsmconv(1M) man page.


    # cd /etc/security
# ./bsmconv

  4. Bring the system into multiuser mode.


    # /etc/telinit 6

    The startup file /etc/security/audit_startup causes the audit daemon to run automatically when the system enters multiuser mode.

How to Disable Auditing

If auditing is no longer required at some point, you can disable the auditing subsystem by running the bsmunconv command. See the bsmconv(1M) man page.

  1. Become superuser or assume an equivalent role.

  2. Bring the system into single-user mode.


    # /etc/telinit 1

    See the telinit(1M) man page for more information.

  3. Run the script to disable auditing.

    Change to the /etc/security directory, and execute the bsmunconv script there.


    # cd /etc/security
# ./bsmunconv

  4. Bring the system into multiuser mode.


    # /etc/telinit 6