Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Security Services Oracle Solaris 11 Express 11/10 |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Using the Basic Audit Reporting Tool (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Part IV Oracle Solaris Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
19. Using Solaris Secure Shell (Tasks)
20. Solaris Secure Shell (Reference)
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Oracle Solaris Auditing
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Oracle Solaris Auditing (Tasks)
Oracle Solaris Auditing (Task Map)
Configuring the Audit Service (Tasks)
Configuring the Audit Service (Task Map)
How to Display Audit Service Defaults
How to Preselect Audit Classes
How to Configure a User's Audit Characteristics
How to Change Audit Queue Controls
How to Configure the audit_warn Email Alias
How to Change an Audit Event's Class Membership
How to Create ZFS File Systems for Audit Files
How to Assign Audit Space for the Audit Trail
Configuring the Audit Service in Zones (Tasks)
How to Configure All Zones Identically for Auditing
How to Configure Per-Zone Auditing
Enabling and Disabling the Audit Service (Tasks)
How to Enable the Audit Service
How to Disable the Audit Service
How to Refresh the Audit Service
Managing Audit Records on Local Systems (Tasks)
Managing Audit Records on Local Systems (Task Map)
How to Display Audit Record Definitions
How to Merge Audit Files From the Audit Trail
How to Select Audit Events From the Audit Trail
How to View the Contents of Binary Audit Files
How to Clean Up a not_terminated Audit File
How to Prevent Audit Trail Overflow
Troubleshooting the Audit Service (Tasks)
Troubleshooting the Audit Service (Task Map)
How to Determine That Oracle Solaris Auditing Is Running
How to Lessen the Volume of Audit Records That Are Produced
How to Audit All Commands by Users
How to Find Audit Records of Changes to Specific Files
How to Update a User's Preselection Mask
How to Prevent the Auditing of Specific Events
How to Limit the Size of Binary Audit Files
How to Compress Audit Files on a Dedicated File System
How to Audit Logins From Other Operating Systems
How to Audit FTP and SFTP File Transfers
Each plugin sends audit logs to a different location. The audit_binfile plugin sends records in binary format to local storage. The audit_remote plugin sends an audit record stream to a remote repository. The audit_syslog plugin sends a text summary of the audit record to syslog. By default, audit_binfile is the only active plugin.
The following task map points to the procedures for configuring audit logs for the various plugins. All tasks are optional.
|
The following procedure shows how to create a ZFS pool for audit files, as well as the corresponding file systems and mount point. By default, the /var/audit directory holds audit files for the audit_binfile plugin.
You must be assigned the ZFS File System Management and ZFS Storage Management rights profiles. The latter profile enables you to create storage pools.
For more information, see How to Obtain Administrative Rights.
Assign at least 200 MBs of disk space per host. However, how much auditing you require dictates the disk space requirements. So, your disk space requirements might be far greater than this figure. Remember to include a local audit directory of last resort.
The zpool create command creates a storage pool that is a container for the ZFS file systems. For more information, see What Is ZFS? in Oracle Solaris ZFS Administration Guide.
# zpool create audit-pool mirror disk1 disk2
For example, create the auditp pool from two disks, c3t1d0 c3t2d0, and mirror them.
# zpool create auditp mirror c3t1d0 c3t2d0
You create the file system and mount point with one command. At creation, the file system is mounted.
# zfs create -o mountpoint=/mountpoint audit-pool/mountpoint
For example, create the /audit mount point for the auditf file system:
# zfs create -o mountpoint=/audit auditp/auditf
# zfs create -p auditp/auditf/system/files
For example, create a ZFS file system for the sys1 system.
# zfs create -p auditp/auditf/sys1/files
You can set ZFS quotas on file systems. These quotas are used by the audit_warn alias to notify you when the space is filling up.
# zfs create -p auditp/auditf/sys1.1/files # zfs create -p auditp/auditf/sys1.2/files
The following ZFS properties are set to off for all file systems in the pool:
# zfs set devices=off auditp/auditf # zfs set exec=off auditp/auditf # zfs set setuid=off auditp/auditf
Typically, compression is set on file systems. However, because all the file systems in this pool contain audit files, compression is set at the pool level.
# zfs set compression=on auditp
In this scenario, when the both disks in the auditp pool are almost full, the audit_warn script notifies the audit administrator.
For example, set a quota on the auditf file system.
# zfs set quota=510G auditp/auditf
In this scenario, when an auditp/auditf/system file system is filling up, the audit_warn script notifies the audit administrator.
# zfs set quota=170G auditp/auditf/sys1 # zfs set quota=170G auditp/auditf/sys1.1 # zfs set quota=165G auditp/auditf/sys1.2
Note - If you have set a quota on the parent audit file system, quotas on the descendant file systems impose an additional limit.
By default, an audit file can grow to the size of the pool. For manageability, set a limit to the size of a file. See Example 30-13.
Example 30-12 Setting a Quota on the /var/audit Directory
In this example, the administrator sets a quota on the default audit file system. When this quota is reached, the audit_warn script warns the audit administrator.
# zfs set quota=252G /var/audit
In this procedure, you use attributes to the audit_binfile plugin to assign additional disk space to the audit trail.
You must be assigned the Audit Configuration rights profile.
For more information, see How to Obtain Administrative Rights.
Read the OBJECT ATTRIBUTES section of the audit_binfile(5) man page.
# man audit_binfile ... OBJECT ATTRIBUTES The p_dir attribute specifies where the audit files will be created. The directories are listed in the order in which they are to be used. The p_minfree attribute defines the percentage of free space that the audit system requires before the audit daemon invokes the audit_warn script. The p_fsize attribute defines the maximum size in bytes that an audit file can become before it is automatically closed and a new audit file opened. ...
The default directory is /var/audit.
# auditconfig -setplugin audit_binfile active p_dir=/audit/example1/files,/var/audit
The preceding command sets the /audit/example1/files directory as the primary directory for audit files, and the default /var/audit directory as the secondary directory. In this scenario, the /var/audit directory is the directory of last resort. For this configuration to succeed, the /audit/example1/files directory must exist.
You created this directory in How to Create ZFS File Systems for Audit Files.
The auditconfig -setplugin command sets the configured value. This value is a property of the audit service, so is restored when the service is refreshed or restarted. The configured value becomes active when the audit service is refreshed or restarted. For information about configured and active values, see the auditconfig(1M) man page.
# audit -s
Example 30-13 Limiting File Size for the audit_binfile Plugin
In the following example, the size of a binary audit file is set to a specific size. The size is specified in bytes.
# auditconfig -setplugin audit_binfile active p_fsize=1024000 # auditconfig -getplugin audit_binfile Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=1024000;p_minfree=0;
The default value, 0, places no limit on the size of an audit file. To manage smaller file sizes, the administrator specifies a file size limit of 1MB. The audit service creates a new file when the size limit is reached. The file size limit goes into effect when the administrator refreshes the audit service.
# audit -s
Example 30-14 Specifying Several Changes to an Audit Plugin
In the following example, the administrator changes the queue size, the binary file size, and the soft limit warning for the audit_binfile plugin. The default queue size is the hiwater mark for the kernel audit queue, 100, as in active audit queue hiwater mark (records) = 100.
# auditconfig -getplugin audit_binfile Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=1024000;p_minfree=0; # auditconfig -setplugin audit_binfile active "p_minfree=2;p_fsize=3072000" 200 # auditconfig -getplugin audit_binfile Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=3072000;p_minfree=2; Queue size: 200
The changed specifications go into effect when the administrator refreshes the audit service.
# audit -s
Example 30-15 Removing Queue Size for an Audit Plugin
In the following example, the queue size for the audit_binfile plugin is removed.
# auditconfig -getplugin audit_binfile Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=3072000;p_minfree=2; Queue size: 200 # auditconfig -setplugin audit_binfile active "" "" # auditconfig -getplugin audit_binfile Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=3072000;p_minfree=2;
The change in qsize specification for the plugin goes into effect when the administrator refreshes the audit service.
# audit -s
Example 30-16 Setting a Soft Limit for Warnings
In this example, the minimum free-space level for all audit file systems is set so that a warning is issued when one percent of the file system is still available.
# auditconfig -setplugin audit_binfile active p_minfree=1
The default percentage is zero (0). For a large ZFS pool, choose a reasonably low percentage. For example, 10 percent of a 16 TB pool is around 16 GBs, which would warn the audit administrator when plenty of disk space remains. A value of 1 sends the audit_warn message when about one GB of disk space remains.
The audit_warn alias receives the warning. To set up the alias, see How to Configure the audit_warn Email Alias.
For a large pool, the administrator also limits the file size to 3GB.
# auditconfig -setplugin audit_binfile active p_fsize=3076000
The p_minfree and p_fsize specifications for the plugin go into effect when the administrator refreshes the audit service.
# audit -s
In this procedure, you use attributes to the audit_remote plugin to send the audit trail to a remote audit repository.
You must have a receiver of audit files at your remote repository. You must be assigned the Audit Configuration rights profile.
For more information, see How to Obtain Administrative Rights.
Read the OBJECT ATTRIBUTES section of the audit_remote(5) man page.
# man audit_remote ... OBJECT ATTRIBUTES The p_hosts attribute specifies the remote servers. You can also specify the port number and the GSS-API mechanism. The p_retries attribute specifies the number of retries for connecting and sending data. The default is 3. The p_timeout attribute specifies the number of seconds in which a connection times out.
The default port is the solaris_audit IANA-assigned port, port 16162/tcp. The default mechanism is kerberos-v5. The timeout default is 5 seconds. You can also specify a queue size for the plugin.
# auditconfig -setplugin audit_remote active p_hosts=rhost1:16088:kerberos_v5
# auditconfig -setplugin audit_remote active p_retries=5
# auditconfig -setplugin audit_remote active p_timeout=3
The audit service reads the audit plugin change upon refresh.
# audit -s
You can instruct the audit service to copy some or all of the audit records in the audit queue to syslog. In the following procedure, you save binary audit data and text summaries.
To configure the audit_syslog plugin, you must be assigned the Audit Configuration rights profile. To configure syslog, you must be in the root role.
Note - These classes must be preselected as either system defaults, or in a user's audit_flags attribute. Records are not collected for a class that is not preselected.
# auditconfig -setplugin audit_syslog active p_flags=lo,+as,-ss
The entry includes the location of the log file.
# cat /etc/syslog.conf … audit.notice /var/adm/auditlog
# touch /var/adm/auditlog
# svcadm refresh system/system-log
The audit service reads the changes to the audit plugin upon refresh.
# audit -s
The audit service can generate extensive output. To manage the logs, see the logadm(1M) man page.
Example 30-17 Specifying Audit Classes for syslog Output
In the following example, the syslog utility collects a subset of the preselected audit classes. The pf class is created in Example 30-10.
# auditconfig -setnaflags lo,na # auditconfig -setflags lo,ss # usermod -K audit_flags=pf:no jdoe # auditconfig -setplugin audit_syslog active p_flags=lo,-na,-ss,+pf
The arguments to the auditconfig command instruct the system to collect all login/logout, non-attributable, and change of system state audit records. The audit_syslog plugin entry instructs the syslog utility to collect only failed logins, failed non-attributable events, and failed changes of system state.
For the jdoe user, the binary audit record includes all uses of a call to the pfexec command. For these events to be available for post-selection, either the audit_binfile or the audit_remote plugin must be active. The syslog utility collects successful calls to the pfexec command.
Example 30-18 Putting syslog Audit Records on a Remote System
You can change the audit.notice entry in the syslog.conf file to point to a remote system. In this example, the name of the local system is example1. The remote system is remote1.
example1 # cat /etc/syslog.conf … audit.notice @remote1
The audit.notice entry in the syslog.conf file on the remote1 system points to the log file.
remote1 # cat /etc/syslog.conf … audit.notice /var/adm/auditlog