Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Security Services Oracle Solaris 11 Express 11/10 |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Using the Basic Audit Reporting Tool (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Part IV Oracle Solaris Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
19. Using Solaris Secure Shell (Tasks)
20. Solaris Secure Shell (Reference)
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Oracle Solaris Auditing
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Oracle Solaris Auditing (Tasks)
Oracle Solaris Auditing (Task Map)
Configuring the Audit Service (Tasks)
Configuring the Audit Service (Task Map)
How to Display Audit Service Defaults
How to Preselect Audit Classes
How to Configure a User's Audit Characteristics
How to Change Audit Queue Controls
How to Configure the audit_warn Email Alias
How to Change an Audit Event's Class Membership
How to Create ZFS File Systems for Audit Files
How to Assign Audit Space for the Audit Trail
How to Send Audit Files to a Remote Repository
How to Configure syslog Audit Logs
Configuring the Audit Service in Zones (Tasks)
How to Configure All Zones Identically for Auditing
How to Configure Per-Zone Auditing
Enabling and Disabling the Audit Service (Tasks)
How to Enable the Audit Service
Managing Audit Records on Local Systems (Tasks)
Managing Audit Records on Local Systems (Task Map)
How to Display Audit Record Definitions
How to Merge Audit Files From the Audit Trail
How to Select Audit Events From the Audit Trail
How to View the Contents of Binary Audit Files
How to Clean Up a not_terminated Audit File
How to Prevent Audit Trail Overflow
Troubleshooting the Audit Service (Tasks)
Troubleshooting the Audit Service (Task Map)
How to Determine That Oracle Solaris Auditing Is Running
How to Lessen the Volume of Audit Records That Are Produced
How to Audit All Commands by Users
How to Find Audit Records of Changes to Specific Files
How to Update a User's Preselection Mask
How to Prevent the Auditing of Specific Events
How to Limit the Size of Binary Audit Files
How to Compress Audit Files on a Dedicated File System
How to Audit Logins From Other Operating Systems
How to Audit FTP and SFTP File Transfers
Auditing is a Service Management Facility (SMF) service. The service is configured by the auditconfig command and enabled by the audit -s command. If the perzone audit policy is set in the global zone, zone administrators can enable, refresh, and disable the service in their non-global zones.
This procedure enables the audit service for all zones. To start the audit service in a non-global zone, see Example 30-21.
You must be assigned the Audit Control rights profile.
You can enable auditing after completing the following tasks:
Planning – Planning Oracle Solaris Auditing (Task Map)
Configuring – Configuring the Audit Service (Task Map)
Setting audit policies – How to Change Audit Policy
Configuring who receives audit warning messages – How to Configure the audit_warn Email Alias
Configuring storage – Configuring Audit Logs
Note - Host name translation must be working correctly for auditing to function. The hosts database in the naming services must be correctly configured and functioning. Minimally, the software must be able to map the nodename to an IP address. This can be done by configuring the /etc/hosts file.
For configuration of the hosts database, see the nsswitch.conf(4) and netconfig(4) man pages. For additional information, see the System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).
# audit -s
For more information, see the audit(1M) and auditd(1M) man pages.
# auditconfig -getcond audit condition = auditing
Example 30-21 Enabling Auditing in a Non-Global Zone
In this example, the zone1 non-global zone is booted after the following actions are taken:
The global zone administrator sets the perzone policy in the global zone and enables auditing.
The zone administrator of the non-global zone configures the audit service and per-user exceptions.
Then, the zone administrator enables the audit service for the zone.
zone1# audit -s
This procedure shows how to disable auditing in the global zone and in a non-global zone when the perzone audit policy is set.
If the audit service is no longer required, this procedure returns the system to the system state before auditing was enabled.
If the perzone audit policy is not set, auditing is disabled for all zones.
If the perzone audit policy is set in the global zone, the policy remains in effect in the non-global zones that have enabled auditing.
Because the perzone policy is set in the global zone, the non-global zone continues to collect audit records across global zone reboots and non-global zone reboots.
You must be assigned the Audit Control rights profile.
For more information, see the audit(1M) and auditd(1M) man pages.
# audit -t
If the perzone audit policy is set in the global zone, the non-global zone administrator disables the service in the non-global zone.
zone1 # audit -t
This procedure updates the audit service when you have made configuration changes after the audit service is enabled.
You must be assigned the Audit Control rights profile.
# audit -s
You must run this command if you run the auditconfig -setplugin command.
Note - When you refresh the audit service, all temporary configuration settings are lost. Audit policy and queue controls allow temporary settings. For more information, see the auditconfig(1M) man page.
Audit records are generated based on the audit preselection mask that is associated with each process. Refreshing the audit service does not change the masks of existing processes. To explicitly reset the preselection mask for an existing process, see How to Update a User's Preselection Mask.
Example 30-22 Refreshing an Enabled Audit Service
In this example, the administrator reconfigures auditing, verifies the changes, then refreshes the audit service.
First, the administrator adds a temporary policy.
# auditconfig -t -setpolicy +zonename # auditconfig -getpolicy configured audit policies = ahlt,arge,argv,perzone active audit policies = ahlt,arge,argv,perzone,zonename
Then, the administrator specifies queue controls.
# auditconfig -setqctrl 200 20 0 0 # auditconfig -getqctrl configured audit queue hiwater mark (records) = 200 configured audit queue lowater mark (records) = 20 configured audit queue buffer size (bytes) = 8192 configured audit queue delay (ticks) = 20 active audit queue hiwater mark (records) = 200 active audit queue lowater mark (records) = 20 active audit queue buffer size (bytes) = 8192 active audit queue delay (ticks) = 20
Then, the administrator specifies plugin attributes.
For the audit_binfile plugin, the administrator removes the qsize value.
# auditconfig -getplugin audit_binfile Plugin: audit_binfile (active) Attributes: p_dir=/audit/example1/files,/var/audit; p_minfree=2;p_fsize=3072000; Queue size: 200 # auditconfig -setplugin audit_binfile active "" "" # auditconfig -getplugin audit_binfile Plugin: audit_binfile (active) Attributes: p_dir=/audit/example1/files,/var/audit p_minfree=2;p_fsize=3072000;
For the audit_syslog plugin, the administrator specifies that successful login and logout events and failed executables be sent to syslog. The qsize for this plugin is set to 50.
# auditconfig -setplugin audit_syslog active p_flags=+lo,-ex 50 # auditconfig -getplugin audit_syslog auditconfig -getplugin audit_syslog Plugin: audit_syslog (active) Attributes: p_flags=+lo,-ex; Queue size: 50
The administrator does not configure or use the audit_remote plugin.
Then, the administrator refreshes the audit service and verifies the configuration.
The temporary zonename policy is no longer set.
# audit -s # auditconfig -getpolicy configured audit policies = ahlt,arge,argv,perzone active audit policies = ahlt,arge,argv,perzone
The queue controls remain the same.
# auditconfig -getqctrl configured audit queue hiwater mark (records) = 200 configured audit queue lowater mark (records) = 20 configured audit queue buffer size (bytes) = 8192 configured audit queue delay (ticks) = 20 active audit queue hiwater mark (records) = 200 active audit queue lowater mark (records) = 20 active audit queue buffer size (bytes) = 8192 active audit queue delay (ticks) = 20
The audit_binfile plugin does not have a specified queue size. The audit_syslog plugin has a specified queue size.
# auditconfig -getplugin Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=3072000;p_minfree=2; Plugin: audit_syslog (active) Attributes: p_flags=+lo,-ex; Queue size: 50 ...