Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Security Services Oracle Solaris 11 Express 11/10 |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Using the Basic Audit Reporting Tool (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Part IV Oracle Solaris Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
19. Using Solaris Secure Shell (Tasks)
20. Solaris Secure Shell (Reference)
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Oracle Solaris Auditing
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Oracle Solaris Auditing (Tasks)
Oracle Solaris Auditing (Task Map)
Configuring the Audit Service (Tasks)
Configuring the Audit Service (Task Map)
How to Display Audit Service Defaults
How to Preselect Audit Classes
How to Configure a User's Audit Characteristics
How to Change Audit Queue Controls
How to Configure the audit_warn Email Alias
How to Change an Audit Event's Class Membership
How to Create ZFS File Systems for Audit Files
How to Assign Audit Space for the Audit Trail
How to Send Audit Files to a Remote Repository
How to Configure syslog Audit Logs
Enabling and Disabling the Audit Service (Tasks)
How to Enable the Audit Service
How to Disable the Audit Service
How to Refresh the Audit Service
Managing Audit Records on Local Systems (Tasks)
Managing Audit Records on Local Systems (Task Map)
How to Display Audit Record Definitions
How to Merge Audit Files From the Audit Trail
How to Select Audit Events From the Audit Trail
How to View the Contents of Binary Audit Files
How to Clean Up a not_terminated Audit File
How to Prevent Audit Trail Overflow
Troubleshooting the Audit Service (Tasks)
Troubleshooting the Audit Service (Task Map)
How to Determine That Oracle Solaris Auditing Is Running
How to Lessen the Volume of Audit Records That Are Produced
How to Audit All Commands by Users
How to Find Audit Records of Changes to Specific Files
How to Update a User's Preselection Mask
How to Prevent the Auditing of Specific Events
How to Limit the Size of Binary Audit Files
How to Compress Audit Files on a Dedicated File System
How to Audit Logins From Other Operating Systems
How to Audit FTP and SFTP File Transfers
The audit service audits the entire system, including audit events in zones. A system that has installed non-global zones can audit all zones identically, or can control auditing per zone. For background, see Auditing on a System With Zones. To plan, see How to Plan Auditing in Zones.
When you audit the non-global zones exactly as the global zone is audited, the audit service runs in the global zone. The service collects audit records from the global zone and all the non-global zones. The non-global zone administrators might not have access to the audit records.
Note - The global zone administrator can choose to modify the audit masks of users in non-global zones.
When you audit the non-global zones individually, a separate audit service runs in each zone that is audited. Each zone collects its own audit records. The records are visible to the non-global zone and the global zone.
This procedure enables audits every zone identically. This method requires the least computer overhead and administrative resources.
Complete the tasks in Configuring the Audit Service (Task Map), with the following exceptions:
Do not enable perzone audit policy.
Do not enable the audit service. You enable the audit service after you have configured the non-global zones for auditing.
Set the zonename policy. This policy adds the name of the zone to every audit record.
# auditconfig -setpolicy +zonename
If you modified the audit_class or audit_event file, copy it. Otherwise, skip this step.
You have two options. You can loopback mount the files, or you can copy the files. The non-global zone must be running.
# zoneadm -z non-global-zone halt
# zonecfg -z non-global-zone add fs set special=/etc/security/audit-file set dir=/etc/security/audit-file set type=lofs add options [ro,nodevices,nosetuid] commit end exit
# zoneadm -z non-global-zone boot
Later, if you modify an audit configuration file in the global zone, you reboot the zone to refresh the loopback-mounted files in the non-global zones.
# ls /zone/zonename/root/etc/security/
# cp /etc/security/audit-file /zone/zonename/root/etc/security/audit-file
Later, if you change one of these files in the global zone, you re-copy the file to the non-global zones.
The non-global zones are audited when the audit service is enabled in the global zone.
Example 30-19 Loopback Mounting Audit Configuration Files
In this example, the system administrator has modified the audit_class, audit_event, and audit_warn files.
The audit_warn file is read in the global zone only, so does not have to be loopback mounted into the non-global zones.
On this system, machine1, the administrator has created two non-global zones, machine1–webserver and machine1–appserver. The administrator has finished modifying the audit configuration files. If the administrator later modifies the files, the zone must be rebooted to re-read the loopback mounts.
# zoneadm -z machine1-webserver halt # zoneadm -z machine1-appserver halt # zonecfg -z machine1-webserver add fs set special=/etc/security/audit_class set dir=/etc/security/audit_class set type=lofs add options [ro,nodevices,nosetuid] commit end add fs set special=/etc/security/audit_event set dir=/etc/security/audit_event set type=lofs add options [ro,nodevices,nosetuid] commit end exit # zonecfg -z machine1-appserver add fs set special=/etc/security/audit_class set dir=/etc/security/audit_class set type=lofs add options [ro,nodevices,nosetuid] commit end ... exit
When the non-global zones are rebooted, the audit_class and audit_event files are read-only in the zones.
This procedure enables separate zone administrators to control the audit service in their zone. For the complete list of policy options, see the auditconfig(1M) man page.
You must be assigned the Audit Configuration rights profile.
Complete the tasks in Configuring the Audit Service (Task Map).
Add the perzone audit policy. For the command, see Example 30-8.
You can enable the audit service in the global zone. You can also enable the audit service after the non-global zones are configured for auditing.
Note - If you are not planning to run auditing in your non-global zone, you can stop here.
Specifically, do not add the perzone or ahlt policy to the non-global zone.
The global zone administrator must enable the audit service for the system. For the procedure, see How to Enable the Audit Service.
myzone# audit -s
Example 30-20 Disabling Auditing in a Non-Global Zone
This example works if the global zone has set the perzone audit policy. The zone administrator of the noaudit zone disables auditing for that zone.
noauditzone # auditconfig -getcond audit condition = auditing noauditzone # audit -t audit condition = noaudit