| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Solaris Administration: Security Services Oracle Solaris 11 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Solaris Administration: Security Services Oracle Solaris 11 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Using the Basic Audit Reporting Tool (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Security Attributes in Oracle Solaris (Reference)
Part IV Cryptographic Services
11. Cryptographic Framework (Overview)
12. Cryptographic Framework (Tasks)
Part V Authentication Services and Secure Communication
14. Network Services Authentication (Tasks)
17. Using Secure Shell (Tasks)
19. Introduction to the Kerberos Service
20. Planning for the Kerberos Service
21. Configuring the Kerberos Service (Tasks)
22. Kerberos Error Messages and Troubleshooting
23. Administering Kerberos Principals and Policies (Tasks)
24. Using Kerberos Applications (Tasks)
25. The Kerberos Service (Reference)
Part VII Auditing in Oracle Solaris
Cost of Increased Processing Time of Audit Data
You want to be selective about what kinds of activities are audited. At the same time, you want to collect useful audit information. You also need to carefully plan who to audit and what to audit. If you are using the default audit_binfile plugin, audit files can quickly grow to fill the available space, so you must allocate enough disk space.
The following task map points to the major tasks that are required for planning disk space and which events to record.
|
If your system contains non-global zones, the zones can be audited as the global zone is audited, or the audit service for each non-global zone can be configured, enabled, and disabled separately. For example, you could audit only the non-global zones, and not audit the global zone.
For a discussion of the trade-offs, see Auditing on a System With Oracle Solaris Zones.
Auditing all zones identically can create a single-image audit trail. A single-image audit trail occurs when you are using the audit_binfile or the audit_remote plugin, and all zones on a system are part of one administrative domain. The audit records can then be easily compared because the records in every zone are preselected with identical settings.
This configuration treats all zones as part of one system. The global zone runs the only audit service on a system and collects audit records for every zone. You customize the audit_class and audit_event files only in the global zone, then copy these files to every non-global zone.
Note - If naming service files are customized in non-global zones, and perzone policy is not set, then careful use of the audit tools is required to select usable records. A user ID in one zone can refer to a different user from the same ID in a different zone.
To put the zone name as part of the audit record, set the zonename policy in the global zone. The auditreduce command can then select audit events by zone from the audit trail. For an example, see the auditreduce(1M) man page.
To plan a single-image audit trail, refer to How to Plan Who and What to Audit. Start with the first step. The global zone administrator must also set aside storage, as described in How to Plan Storage for Audit Records.
Choose to configure per-zone auditing if different zones use different naming service databases, or if zone administrators want to control auditing in their zones.
Note - To audit non-global zones, the perzone policy must be set, but the audit service does not have to be enabled in the global zone. Non-global zone auditing is configured, and its audit service is enabled and disabled separately from the global zone.
When you configure per-zone auditing, you set the perzone audit policy in the global zone. If per-zone auditing is set before a non-global zone is first booted, auditing begins at the zone's first boot. To set audit policy, see How to Configure Per-Zone Auditing.
Each zone administrator configures auditing for the zone.
A non-global zone administrator can set all policy options except perzone and ahlt.
Each zone administrator can enable or disable auditing in the zone.
To generate records that can be traced to their originating zone during review, set the zonename audit policy.
To plan per-zone auditing, see How to Plan Who and What to Audit. You can skip the first step. If the audit_binfile plugin is active, each zone administrator must also set aside storage for every zone, as described in How to Plan Storage for Audit Records.
The audit_binfile plugin creates an audit trail. The audit trail requires dedicated file space. This space must be available and secure. The system uses the /var/audit file system for initial storage. You can configure additional audit file systems for audit files. The following procedure covers the issues that you must resolve when you plan for audit trail storage.
Before You Begin
If you are implementing non-global zones, complete How to Plan Auditing in Zones before using this procedure.
You are using the audit_binfile plugin.
Balance your site's security needs against the availability of disk space for the audit trail.
For guidance on how to reduce space requirements while still maintaining site security, as well as how to design audit storage, see Controlling Auditing Costs and Auditing Efficiently.
For practical steps, see How to Lessen the Volume of Audit Records That Are Produced, How to Compress Audit Files on a Dedicated File System, and Example 28-28.
Create a list of all the file systems that you plan to use. For configuration guidelines, see Storing and Managing the Audit Trail and the auditreduce(1M) man page. To specify the audit file systems, see How to Assign Audit Space for the Audit Trail.
For more information, see Ensuring Reliable Time Stamps.
Before You Begin
If you are implementing non-global zones, review How to Plan Auditing in Zones before using this procedure.
Note - This step applies only to the audit_binfile plugin.
Systems within a single administrative domain can create a single-system image audit trail. If your systems use different naming services, start with Step 2. Then, complete the rest of the planning steps for every system.
To create a single-system image audit trail for a site, every system in the installation should be configured as follows:
Use the same naming service for all systems.
For correct interpretation of the audit records, the passwd, group, and hosts files must be consistent.
Configure the audit service identically on all systems. For information about displaying and modifying the service settings, see the auditconfig(1M) man page.
Use the same audit_warn, audit_event, and audit_class files for all systems.
By default, only the cnt policy is enabled.
Use the auditconfig -lspolicy command to see a description of available policy options.
For the effects of the policy options, see Understanding Audit Policy.
For the effect of the cnt policy, see Audit Policies for Asynchronous and Synchronous Events.
To set audit policy, see How to Change Audit Policy.
In almost all situations, the default mapping is sufficient. However, if you add new classes, change class definitions, or determine that a record of a specific system call is not useful, you might want to modify event-to-class mappings.
For an example, see How to Change an Audit Event's Class Membership.
The best time to add audit classes or to change the default classes is before users log in to the system.
The audit classes that you preselect with the -setflags and -setnaflags options to the auditconfig command apply to all users and processes. You can preselect a class for success, for failure, or for both.
For the list of audit classes, read the /etc/security/audit_class file.
If you decide that some users should be audited differently from the system, use the audit_flags security attribute to the useradd, usermod, roleadd, or rolemod command. You can also use the profiles command to add this attribute to a rights profile in the prof_attr database. The user preselection mask is modified for users who use a rights profile with explicit audit flags.
For the procedure, see How to Configure a User's Audit Characteristics. For which audit flag values are in effect, see Order of Search for Assigned Security Attributes.
The audit_warn script is run whenever the audit system detects a situation that requires administrative attention. By default, the audit_warn script sends email to an audit_warn alias and sends a message to the console.
To set up the alias, see How to Configure the audit_warn Email Alias.
You have three choices.
By default, store binary audit records locally. The default storage directory is /var/audit. To further configure the audit_binfile plugin, see How to Create ZFS File Systems for Audit Files.
Stream binary audit records to a remote protected repository by using the audit_remote plugin. You must have a receiver for the files. For the procedure, see How to Send Audit Files to a Remote Repository.
Send audit record summaries to syslog by using the audit_syslog plugin. For the procedure, see How to Configure syslog Audit Logs.
For a comparison of binary and syslog formats, see Audit Logs.
Note - This step applies only to the audit_binfile plugin.
When disk space on an audit file system drops below the minimum free space percentage, or soft limit, the audit service switches to the next available audit directory. The service then sends a warning that the soft limit has been exceeded.
To set a minimum free space percentage, see Example 28-17.
Note - This step applies only to the audit_binfile plugin.
In the default configuration, the audit_binfile plugin is active, and the cnt policy is set. In this configuration, when the kernel audit queue is full, the system continues to work. The system counts the audit records that are dropped, but does not record the events. For greater security, you can disable the cnt policy, and enable the ahlt policy. The ahlt policy stops the system when an asynchronous event cannot be placed in the audit queue.
For a discussion of these policy options, see Audit Policies for Asynchronous and Synchronous Events. To configure these policy options, see Example 28-6.
However, if the audit_binfile queue is full, and the queue for another active plugin is not full, then the kernel queue will continue to send records to the plugin that is not full. When the audit_binfile queue can again accept records, the audit service will resume sending records to it.
Note - The cnt or ahlt policy is not triggered if the queue for at least one plugin is accepting audit records.
|