Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Security Services Oracle Solaris 10 8/11 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Controlling Access to Devices (Tasks)
5. Using the Basic Audit Reporting Tool (Tasks)
6. Controlling Access to Files (Tasks)
7. Using the Automated Security Enhancement Tool (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Part IV Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
19. Using Oracle Solaris Secure Shell (Tasks)
20. Oracle Solaris Secure Shell (Reference)
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Oracle Solaris Auditing
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Oracle Solaris Auditing (Tasks)
Oracle Solaris Auditing (Task Map)
Configuring Audit Files (Task Map)
Configuring Audit Files (Tasks)
How to Modify the audit_control File
How to Configure syslog Audit Logs
How to Change a User's Audit Characteristics
How to Change an Audit Event's Class Membership
Configuring and Enabling the Audit Service (Task Map)
Configuring and Enabling the Audit Service (Tasks)
How to Create Partitions for Audit Files
How to Configure the audit_warn Email Alias
How to Enable the Audit Service
How to Disable the Audit Service
How to Update the Audit Service
Configuring the Audit Service in Zones (Tasks)
How to Configure All Zones Identically for Auditing
How to Configure Per-Zone Auditing
Managing Audit Records (Task Map)
How to Display Audit Record Formats
How to Merge Audit Files From the Audit Trail
How to Select Audit Events From the Audit Trail
How to View the Contents of Binary Audit Files
Troubleshooting Oracle Solaris Auditing (Tasks)
Troubleshooting Oracle Solaris Auditing (Task Map)
How to Determine That Oracle Solaris Auditing Is Running
How to Lessen the Volume of Audit Records That Are Produced
How to Audit All Commands by Users
How to Find Audit Records of Changes to Specific Files
How to Modify a User's Preselection Mask
How to Prevent the Auditing of Certain Events
How to Limit the Size of Binary Audit Files
How to Audit Logins From Other OSes
How to Audit FTP and SFTP File Transfers
By managing the audit trail, you can monitor the actions of users on your network. Auditing can generate large amounts of data. The following tasks show you how to work with all this data.
To write scripts that can find the audit data that you want, you need to know the order of tokens in an audit event. The bsmrecord command displays the audit event number, audit class, selection mask, and record format of an audit event.
The -a option lists all audit event record formats. The -h option puts the list in HTML format that can be displayed in a browser.
% bsmrecord -a -h > audit.events.html
When you display the *html file in a browser, use the browser's Find tool to find specific records.
For more information, see the bsmrecord(1M) man page.
Example 30-26 Displaying the Audit Record Formats of a Program
In this example, the format of all audit records that are generated by the login program are displayed. The login programs include rlogin, telnet, newgrp, role login to the Solaris Management Console, and Oracle Solaris Secure Shell.
% bsmrecord -p login login: logout program various See login(1) event ID 6153 AUE_logout … newgrp program newgrp See newgrp login event ID 6212 AUE_newgrp_login … rlogin program /usr/sbin/login See login(1) - rlogin event ID 6155 AUE_rlogin … SMC: role login program SMC server See role login event ID 6173 AUE_role_login … /usr/lib/ssh/sshd program /usr/lib/ssh/sshd See login - ssh event ID 6172 AUE_ssh … telnet login program /usr/sbin/login See login(1) - telnet event ID 6154 AUE_telnet …
Example 30-27 Displaying the Audit Record Formats of an Audit Class
In this example, the format of all audit records in the fd class are displayed.
% bsmrecord -c fd rmdir system call rmdir See rmdir(2) event ID 48 AUE_RMDIR class fd (0x00000020) header path [attribute] subject [use_of_privilege] return unlink system call unlink See unlink(2) event ID 6 AUE_UNLINK … unlinkat system call unlinkat See openat(2) event ID 286 AUE_UNLINKAT …
By merging all audit files in all the audit directories, you can analyze the contents of the entire audit trail. The auditreduce command merges all the records from its input files into a single output file. The input files can then be deleted. When the output file is placed in a directory that is named /etc/security/audit/server-name/files, the auditreduce command can find the output file without your specifying the full path.
Note - This procedure applies only to binary audit records.
The System Administrator role includes the Audit Review profile. You can also create a separate role that includes the Audit Review profile. To create a role and assign the role to a user, see Configuring RBAC (Task Map).
# mkdir audit-trail-directory
# chmod 700 audit-trail-directory # ls -la audit-trail-directory drwx------ 3 root sys 512 May 12 11:47 . drwxr-xr-x 4 root sys 1024 May 12 12:47 ..
Change directories to the audit-trail-directory and merge the audit records into a file with a named suffix. All directories that are listed in the dir lines of the audit_control file on the local system are merged.
# cd audit-trail-directory # auditreduce -Uppercase-option -O suffix
The uppercase options to the auditreduce command manipulate files in the audit trail. The uppercase options include the following:
Selects all of the files in the audit trail.
Selects complete files only. This option ignores files with the suffix not_terminated.
Selects files with a particular suffix. The suffix can be a machine name, or it can be a suffix that you have specified for a summary file.
Creates an audit file with 14-character timestamps for both the start time and the end time, with the suffix suffix in the current directory.
Example 30-28 Copying Audit Files to a Summary File
In the following example, the System Administrator role, sysadmin, copies all files from the audit trail into a merged file.
$ whoami sysadmin $ mkdir /var/audit/audit_summary.dir $ chmod 700 /var/audit/audit_summary.dir $ cd /var/audit/audit_summary.dir $ auditreduce -A -O All $ ls *All 20100827183214.20100827215318.All
In the following example, only complete files are copied from the audit trail into a merged file.
$ cd /var/audit/audit_summary.dir $ auditreduce -C -O Complete $ ls *Complete 20100827183214.20100827214217.Complete
In the following example, only complete files are copied from the example1 machine into a merged file.
$ cd /var/audit/audit_summary.dir $ auditreduce -M example1 -O example1summ $ ls *summ 20100827183214.20100827214217.example1summ
Example 30-29 Moving Audit Files to a Summary File
The -D option to the auditreduce command deletes an audit file when you copy it to another location. In the following example, the complete audit files from one system are copied to the summary directory for later examination.
$ cd /var/audit/audit_summary.dir $ auditreduce -C -O daily_example1 -D example1 $ ls *example1 20100827183214.20100827214217.daily_example1
The audit files from the example1 system that were the input to the *daily_example1 file are removed when this command successfully completes.
You can filter audit records for examination. For the complete list of filtering options, see the auditreduce(1M) man page.
The System Administrator role includes the Audit Review profile. You can also create a separate role that includes the Audit Review profile. To create a role and assign the role to a user, see Configuring RBAC (Task Map).
auditreduce -lowercase-option argument [optional-file]
Specific argument that a lowercase option requires. For example, the -c option requires an argument of an audit class, such as ua.
Selects all of the events on a particular date. The date format for argument is yyymmdd. Other date options, -b and -a, select events before and after a particular date.
Selects all of the events attributable to a particular user. The argument is a user name. Another user option, -e, selects all of the events attributable to an effective user ID.
Selects all of the events in a preselected audit class. The argument is an audit class name.
Selects all of the instances of a particular audit event. The argument is an audit event.
Is the name of an audit file.
Example 30-30 Combining and Reducing Audit Files
The auditreduce command can eliminate the less interesting records as it combines the input files. For example, you might use the auditreduce command to retain only the login and logout records in audit files that are over a month old. If you need to retrieve the complete audit trail, you could recover the trail from backup media.
# cd /var/audit/audit_summary.dir # auditreduce -O lo.summary -b 20100827 -c lo; compress *lo.summary
Example 30-31 Copying na Audit Records to a Summary File
In this example, all the records of nonattributable audit events in the audit trail are collected into one file.
$ whoami sysadmin $ cd /var/audit/audit_summary.dir $ auditreduce -c na -O nasumm $ ls *nasumm 20100827183214.20100827215318.nasumm
The merged nasumm audit file is time stamped with the beginning and ending date of the na records.
Example 30-32 Finding Audit Events in a Specified Audit File
You can select audit files manually to search just the named set of files. For example, you can further process the *nasumm file in the previous example to find system boot events. To do so, you would specify the file name as the final argument to the auditreduce command.
$ auditreduce -m 113 -O systemboot 20100827183214.20100827215318.nasumm 20100827183214.20100827183214.systemboot
The 20100827183214.20100827183214.systemboot file contains only system boot audit events.
Example 30-33 Copying One User's Audit Records to a Summary File
In this example, the records in the audit trail that contain the name of a particular user are merged. The -e option finds the effective user. The -u option finds the audit user.
$ cd /var/audit/audit_summary.dir $ auditreduce -e tamiko -O tamiko
You can look for specific events in this file. In the following example, what time the user logged in and out on Sept 7, 2010, your time, is checked. Only those files with the user's name as the file suffix are checked. The short form of the date is yyyymmdd.
# auditreduce -M tamiko -O tamikolo -d 20100907 -u tamiko -c lo
Example 30-34 Copying Selected Records to a Single File
In this example, login and logout messages for a particular day are selected from the audit trail. The messages are merged into a target file. The target file is written in a directory other than the normal audit root directory.
# auditreduce -c lo -d 20100827 -O /var/audit/audit_summary.dir/logins # ls /var/audit/audit_summary.dir/*logins /var/audit/audit_summary.dir/20100827183936.20100827232326.logins
The praudit command enables you to view the contents of binary audit files. You can pipe the output from the auditreduce command, or you can read a particular audit file. The -x option is useful for further processing.
The System Administrator role includes the Audit Review profile. You can also create a separate role that includes the Audit Review profile. To create a role and assign the role to a user, see Configuring RBAC (Task Map).
The following examples show praudit output from the same audit event. Audit policy has been set to include the sequence and trailer tokens.
The praudit -s command displays audit records in a short format, one token per line. Use the -l option to place each record on one line.
$ auditreduce -c lo | praudit -s header,101,2,AUE_rlogin,,example1,2010-10-13 11:23:31.050 -07:00 subject,jdoe,jdoe,staff,jdoe,staff,749,749,195 1234 server1 text,successful login return,success,0 sequence,1298
The praudit -r command displays audit records in their raw format, one token per line. Use the -l option to place each record on one line.
$ auditreduce -c lo | praudit -r 21,101,2,6155,0x0000,192.168.60.83,1062021202,64408258 36,2026700,2026700,10,2026700,10,749,749,195 1234 192.168.60.17 40,successful login 39,0,0 47,1298
The praudit -x command displays audit records in XML format, one token per line. Use the -l option to place the XML output for one record on one line.
$ auditreduce -c lo | praudit -x <record version="2" event="login - rlogin" host="example1" time="Wed Aug 27 14:53:22 PDT 2010" msec="64"> <subject audit-uid="jdoe" uid="jdoe" gid="staff" ruid="jdoe" rgid="staff" pid="749" sid="749" tid="195 1234 server1"/> <text>successful login</text> <return errval="success" retval="0"/> <sequence seq-num="1298"/> </record>
Example 30-35 Printing the Entire Audit Trail
With a pipe to the lp command, the output for the entire audit trail goes to the printer. The printer should have limited access.
# auditreduce | praudit | lp -d example.protected.printer
Example 30-36 Viewing a Specific Audit File
In this example, a summary login file is examined in a terminal window.
# cd /var/audit/audit_summary.dir/logins # praudit 20100827183936.20100827232326.logins | more
Example 30-37 Putting Audit Records in XML Format
In this example, the audit records are converted to XML format.
# praudit -x 20100827183214.20100827215318.logins > 20100827.logins.xml
The *xml file can be displayed in a browser. The contents of the file can be operated on by a script to extract the relevant information.
Troubleshooting
A message similar to the following indicates that you do not have enough privilege to use the praudit command:
praudit: Can't assign 20090408164827.20090408171614.example1 to stdin.
Occasionally, an audit daemon exits while its audit file is still open. Or, a server becomes inaccessible and forces the machine to switch to a new server. In such instances, an audit file remains with the string not_terminated as the end timestamp, even though the file is no longer used for audit records. Use the auditreduce -O command to give the file the correct timestamp.
# ls -R1t audit-directory*/files/* | grep not_terminated
Lists files in subdirectories.
Lists files from most recent to oldest.
Lists the files in one column.
Specify the name of the old file to the auditreduce -O command.
# auditreduce -O system-name old-not-terminated-file
# rm system-name old-not-terminated-file
Example 30-38 Cleaning Up Closed not_terminated Audit Files
In the following example, not_terminated files are found, renamed, then the originals are removed.
ls -R1t */files/* | grep not_terminated …/egret.1/20100908162220.not_terminated.egret …/egret.1/20100827215359.not_terminated.egret # cd */files/egret.1 # auditreduce -O egret 20100908162220.not_terminated.egret # ls -1t 20100908162220.not_terminated.egret Current audit file 20100827230920.20100830000909.egret Input (old) audit file 20100827215359.not_terminated.egret # rm 20100827215359.not_terminated.egret # ls -1t 20100908162220.not_terminated.egret Current audit file 20100827230920.20100830000909.egret Cleaned up audit file
The start timestamp on the new file reflects the time of the first audit event in the not_terminated file. The end timestamp reflects the time of the last audit event in the file.
If your security policy requires that all audit data be saved, do the following:
Archive audit files by backing up the files to offline media. You can also move the files to an archive file system.
If you are collecting text audit logs with the syslog utility, archive the text logs. For more information, see the logadm(1M) man page.
Archive information that is necessary to interpret audit records along with the audit trail.
You can extract summary files from the audit trail by using options to the auditreduce command. The summary files contain only records for specified types of audit events. To extract summary files, see Example 30-30 and Example 30-34.