This section covers the tasks that are required to configure and enable the auditing service. The following task map describes the tasks that are required to configure the auditing service.
Task |
Description |
For Instructions |
---|---|---|
1. (Optional) Change the audit configuration files |
Selects which events, classes, and users require auditing. | |
2. Create audit partitions |
Creates the partitions for the audit files. | |
3. Create the audit_warn alias |
Defines who should get email warnings. | |
4. (Optional) Change audit policies |
Defines additional audit records or auditing conditions. | |
5. Enable auditing |
Turns on auditing. | |
6. (Optional) Disable auditing |
Turns off auditing. | |
7. (Optional) Start device allocation |
Selects which removable media should be accessed in a more secure mode. |
The following procedure shows how to create partitions for audit files, as well as the corresponding file systems and directories. Skip steps as necessary, depending on if you already have an empty partition, or if you have already mounted an empty file system.
Become superuser or assume an equivalent role.
Determine the amount of disk space that is required.
Assign at least 200 Mbytes of disk space per host. However, the disk space requirements are based on how much auditing you perform. So, your requirements might be far greater than this figure. Remember to include a partition for a directory of last resort.
Create dedicated audit partitions, as needed.
This step is most easily done during server installation. You can also create the partitions on disks that have not yet been mounted on the server. For complete instructions on how to create the partitions, see “Creating a UFS File System” in System Administration Guide: Basic Administration.
# newfs /dev/rdsk/cwtxdysz |
where /dev/rdsk/cwtxdysz is the raw device name for the partition.
If the local host is to be audited, create an audit directory of last resort for the local host as well.
Create mount points for each new partition.
# mkdir /var/audit/server-name.n |
Where server-name.n is the name of the server plus a number that identifies each partition. The number is optional, but the number is useful when there are many audit directories.
Add entries to automatically mount the new partitions.
Add a line to the /etc/vfstab file that resembles the following:
/dev/dsk/cwtxdysz /dev/rdsk/cwtxdysz /var/audit/server-name.n ufs 2 yes |
(Optional) Remove the minimum free space threshold on each partition.
If you use the default configuration, a warning is generated when the directory is 80 percent full. The warning removes the reason to reserve free space on the partition.
# tunefs -m 0 /var/audit/server-name.n |
Mount the new audit partitions.
# mount /var/audit/server-name.n |
Create audit directories on the new partitions.
# mkdir /var/audit/server-name.n/files |
Correct the permissions on the mount points and new directories.
# chmod -R 750 /var/audit/server-name.n/files |
(Optional) On a file server, define the file systems to be made available to other hosts.
Often, disk farms are installed to store the audit records. If an audit directory is to be used by several systems, then the directory must be shared through the NFS service. Add an entry that resembles the following for each directory to the /etc/dfs/dfstab file.
share -F nfs /var/audit/server-name.n/files |
(Optional) On a file server, restart the NFS service.
If this command is the first share command or set of share commands that you have initiated, the NFS daemons are probably not running. The following commands kill the daemons and restart the daemons. Refer to “Setting Up NFS Services” in System Administration Guide: Resource Management and Network Services for more information about the NFS service.
# /etc/init.d/nfs.server stop # /etc/init.d/nfs.server start |
All systems that run the auditing subsystem should have a local file system that can be used if no other file system is available. In this example, a file system is being added to a system that is named egret. Since this file system is only used locally, none of the steps for a file server are followed.
# newfs /dev/rdsk/c0t2d0 # mkdir /var/audit/egret # grep egret /etc/vfstab /dev/dsk/c0t2d0s1 /dev/rdsk/c0t2d0s1 /var/audit/egret ufs 2 yes - # tunefs -m 0 /var/audit/egret # mount /var/audit/egret # mkdir /var/audit/egret/files # chmod -R 750 /var/audit/egret/files |
In this example, a new file system is created on two new disks that are to be used by other systems in the network.
# newfs /dev/rdsk/c0t2d0 # newfs /dev/rdsk/c0t2d1 # mkdir /var/audit/egret.1 # mkdir /var/audit/egret.2 # grep egret /etc/vfstab /dev/dsk/c0t2d0s1 /dev/rdsk/c0t2d0s1 /var/audit/egret.1 ufs 2 yes - /dev/dsk/c0t2d1s1 /dev/rdsk/c0t2d1s1 /var/audit/egret.2 ufs 2 yes - # tunefs -m 0 /var/audit/egret.1 # tunefs -m 0 /var/audit/egret.2 # mount /var/audit/egret.1 # mount /var/audit/egret.2 # mkdir /var/audit/egret.1/files # mkdir /var/audit/egret.2/files # chmod -R 750 /var/audit/egret.1/files /var/audit/egret.2/files # grep egret /etc/dfs/dfstab share -F nfs /var/audit/egret.1/files share -F nfs /var/audit/egret.2/files # /etc/init.d/nfs.server stop # /etc/init.d/nfs.server start |
The audit_warn script generates mail to an alias that is called audit_warn. To send this mail to a valid email address, you can follow either of the following options:
Become superuser or assume an equivalent role.
Configure the audit_warn mail alias.
Replace the audit_warn alias with another mail account in the audit_warn script.
After you replace audit_warn with the root account, the line that sends the email message would resemble the following:
/usr/ucb/mail -s "$SUBJECT" root |
Ten lines in the audit_warn script require this change.
Redirect the audit_warn email to another mail account.
In this case, you would add the audit_warn alias to the appropriate mail aliases file. You could add the alias to the local /etc/mail/aliases file or to the mail_aliases database in the name space. The new entry would resemble the following if the root mail account was made a member of the audit_warn alias:
audit_warn: root |
Audit policies determine the characteristics of the audit records for the local host. By default, all audit policies are disabled. You need to enable any audit policies that you want to use. For a description of each policy, see Audit Policies.
You can inspect, enable, or disable the current audit policy with the auditon() system call at the program level. Or, to do the same task, you can run the auditconfig command. You can also modify the policy options to the auditconfig command in the audit_startup script to make more permanent audit policy changes.
Become superuser or assume an equivalent role.
(Optional) Review the existing audit policies.
Ensure that you are aware of all the policies that are being used before you change any policies. The following command lists the enabled policies:
# auditconfig -lspolicy |
Enable or disable the audit policy.
# auditconfig -setpolicy flagpolicyname |
A flag value of + enables the policy. A flag value of - disables the policy.
Selects the policy to be enabled or to be disabled.
The policy is in effect until the next boot, or until the policy is modified by the auditconfig -setpolicy command.
The cnt policy can be set so that if the audit partitions become full, then processes are not blocked. The records are discarded when the partitions are full, but the system still functions. The cnt policy keeps a count of the number of discarded audit records. The cnt policy should not be set if security is paramount, since unrecorded events can occur if the file system is full.
The following command enables the cnt policy:
# auditconfig -setpolicy +cnt |
To maintain the policy across reboots, you should place the auditconfig -setpolicy +cnt command in the audit_startup file.
This task starts the auditing service. If the service has been configured, then rebooting the host also starts the service.
Become superuser or assume an equivalent role.
Bring the system into single-user mode.
# /etc/telinit 1 |
See the telinit(1M) man page for more information.
Run the script to configure the system to run auditing.
Go to the /etc/security directory, and execute the bsmconv script there. The script sets up a standard Solaris machine to run auditing after a reboot. See the bsmconv(1M) man page.
# cd /etc/security # ./bsmconv |
Bring the system into multiuser mode.
# /etc/telinit 6 |
The startup file /etc/security/audit_startup causes the audit daemon to run automatically when the system enters multiuser mode.
If auditing is no longer required at some point, you can disable the auditing subsystem by running the bsmunconv command. See the bsmconv(1M) man page.
Become superuser or assume an equivalent role.
Bring the system into single-user mode.
# /etc/telinit 1 |
See the telinit(1M) man page for more information.
Run the script to disable auditing.
Change to the /etc/security directory, and execute the bsmunconv script there.
# cd /etc/security # ./bsmunconv |
Bring the system into multiuser mode.
# /etc/telinit 6 |