Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Security Services Oracle Solaris 10 8/11 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Controlling Access to Devices (Tasks)
5. Using the Basic Audit Reporting Tool (Tasks)
6. Controlling Access to Files (Tasks)
7. Using the Automated Security Enhancement Tool (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Part IV Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
19. Using Oracle Solaris Secure Shell (Tasks)
20. Oracle Solaris Secure Shell (Reference)
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Oracle Solaris Auditing
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Oracle Solaris Auditing (Tasks)
Oracle Solaris Auditing (Task Map)
Configuring Audit Files (Task Map)
Configuring Audit Files (Tasks)
How to Modify the audit_control File
How to Configure syslog Audit Logs
How to Change a User's Audit Characteristics
How to Change an Audit Event's Class Membership
Configuring and Enabling the Audit Service (Task Map)
Configuring and Enabling the Audit Service (Tasks)
How to Create Partitions for Audit Files
How to Configure the audit_warn Email Alias
How to Enable the Audit Service
How to Disable the Audit Service
How to Update the Audit Service
Managing Audit Records (Task Map)
How to Display Audit Record Formats
How to Merge Audit Files From the Audit Trail
How to Select Audit Events From the Audit Trail
How to View the Contents of Binary Audit Files
How to Clean Up a not_terminated Audit File
How to Prevent Audit Trail Overflow
Troubleshooting Oracle Solaris Auditing (Tasks)
Troubleshooting Oracle Solaris Auditing (Task Map)
How to Determine That Oracle Solaris Auditing Is Running
How to Lessen the Volume of Audit Records That Are Produced
How to Audit All Commands by Users
How to Find Audit Records of Changes to Specific Files
How to Modify a User's Preselection Mask
How to Prevent the Auditing of Certain Events
How to Limit the Size of Binary Audit Files
How to Audit Logins From Other OSes
How to Audit FTP and SFTP File Transfers
The audit service audits the entire system, including audit events in zones. A system that has installed non-global zones can audit all zones identically, or can control auditing per zone. For background, see Auditing on a System With Oracle Solaris Zones. To plan, see How to Plan Auditing in Zones.
This procedure enables audits every zone identically. This method requires the least computer overhead and administrative resources.
Do not enable perzone audit policy.
Do not enable the audit service. You enable the audit service after you have configured the non-global zones for auditing.
Copy any of the following files that you have edited: audit_class, audit_control, audit_event, audit_user. Do not copy audit_startup or audit_warn. You do not have to copy files that you have not edited.
You have two options. As superuser, you can copy the files, or loopback mount the files. The non-global zone must be running.
# ls /zone/zonename/etc/security/
# cp /etc/security/audit-file /zone/zonename/etc/security/audit-file
Later, if you modify an audit configuration file in the global zone, you re-copy the file to the non-global zones.
# zoneadm -z non-global-zone halt
# zonecfg -z non-global-zone add fs set special=/etc/security/audit-file set dir=/etc/security/audit-file set type=lofs add options [ro,nodevices,nosetuid] end exit
# zoneadm -z non-global-zone boot
You can also reboot the system.
Later, if you modify an audit configuration file in the global zone, you reboot the system to refresh the loopback-mounted files in the non-global zones.
Example 30-24 Loopback Mounting Audit Configuration Files
In this example, the system administrator has modified the audit_class, audit_event, audit_control, audit_user, audit_startup, and audit_warn files.
The audit_startup and audit_warn files are read in the global zone only, so do not have to be loopback mounted into the non-global zones.
On this system, machine1, the administrator has created two non-global zones, machine1–webserver and machine1–appserver. The administrator has finished customizing the audit configuration files. If the administrator later modifies the files, the system will be rebooted to make the changes effective.
# zoneadm -z machine1-webserver halt # zoneadm -z machine1-appserver halt # zonecfg -z machine1-webserver add fs set special=/etc/security/audit_class set dir=/etc/security/audit_class set type=lofs add options [ro,nodevices,nosetuid] end add fs set special=/etc/security/audit_event set dir=/etc/security/audit_event set type=lofs add options [ro,nodevices,nosetuid] end add fs set special=/etc/security/audit_control set dir=/etc/security/audit_control set type=lofs add options [ro,nodevices,nosetuid] end add fs set special=/etc/security/audit_user set dir=/etc/security/audit_user set type=lofs add options [ro,nodevices,nosetuid] end exit # zonecfg -z machine1-appserver add fs set special=/etc/security/audit_class set dir=/etc/security/audit_class set type=lofs add options [ro,nodevices,nosetuid] end ... exit
When the zones are rebooted, the audit configuration files are read-only in the zones.
This procedure enables separate zone administrators to control the audit service in their zone. For the complete list of policy options, see the auditconfig(1M) man page.
Add the perzone audit policy. For an example, see Example 30-18.
Do not enable the audit service. You enable the audit service after the non-global zones are configured for auditing.
Note - If you are planning to disable auditing in the non-global zone, you can skip this step. To disable auditing, see Example 30-25.
Specifically, do not add the perzone or ahlt policy to the non-global zone's audit_startup file. And do not run the bsmconv command from the non-global zone.
When the global zone reboots after auditing is configured, auditing is automatically enabled in your zone.
If the global zone administrator activates the perzone audit policy after the system is booted, individual zone administrators must enable auditing. For details, see Example 30-20.
For the procedure, see How to Enable the Audit Service.
Example 30-25 Disabling Auditing in a Non-Global Zone
This example works if the global zone has set the perzone audit policy. The zone administrator of the noaudit zone disables auditing for that zone. Because the administrator planned to disable auditing, she did not edit the audit configuration files.
noauditzone # svcadm disable svc:/system/auditd