JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
man pages section 5: Standards, Environments, and Macros     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

Introduction

Standards, Environments, and Macros

acl(5)

ad(5)

advance(5)

adv_cap_1000fdx(5)

adv_cap_1000hdx(5)

adv_cap_100fdx(5)

adv_cap_100hdx(5)

adv_cap_10fdx(5)

adv_cap_10hdx(5)

adv_cap_asym_pause(5)

adv_cap_autoneg(5)

adv_cap_pause(5)

adv_rem_fault(5)

ANSI(5)

architecture(5)

ars(5)

ascii(5)

attributes(5)

audit_binfile(5)

audit_flags(5)

audit_remote(5)

audit_syslog(5)

availability(5)

brands(5)

C++(5)

C(5)

cancellation(5)

cap_1000fdx(5)

cap_1000hdx(5)

cap_100fdx(5)

cap_100hdx(5)

cap_10fdx(5)

cap_10hdx(5)

cap_asym_pause(5)

cap_autoneg(5)

cap_pause(5)

cap_rem_fault(5)

charmap(5)

compile(5)

condition(5)

crypt_bsdbf(5)

crypt_bsdmd5(5)

crypt_sha256(5)

crypt_sha512(5)

crypt_sunmd5(5)

crypt_unix(5)

CSI(5)

datasets(5)

device_clean(5)

dhcp(5)

dhcp_modules(5)

environ(5)

eqnchar(5)

extendedFILE(5)

extensions(5)

fedfs(5)

filesystem(5)

fmri(5)

fnmatch(5)

formats(5)

fsattr(5)

grub(5)

gss_auth_rules(5)

hal(5)

iconv_1250(5)

iconv_1251(5)

iconv(5)

iconv_646(5)

iconv_852(5)

iconv_8859-1(5)

iconv_8859-2(5)

iconv_8859-5(5)

iconv_dhn(5)

iconv_koi8-r(5)

iconv_mac_cyr(5)

iconv_maz(5)

iconv_pc_cyr(5)

iconv_unicode(5)

ieee802.11(5)

ieee802.3(5)

ipfilter(5)

ipkg(5)

isalist(5)

ISO(5)

kerberos(5)

krb5_auth_rules(5)

krb5envvar(5)

KSSL(5)

kssl(5)

labels(5)

largefile(5)

ldap(5)

lf64(5)

lfcompile(5)

lfcompile64(5)

link_duplex(5)

link_rx_pause(5)

link_tx_pause(5)

link_up(5)

locale(5)

locale_alias(5)

lp_cap_1000fdx(5)

lp_cap_1000hdx(5)

lp_cap_100fdx(5)

lp_cap_100hdx(5)

lp_cap_10fdx(5)

lp_cap_10hdx(5)

lp_cap_asym_pause(5)

lp_cap_autoneg(5)

lp_cap_pause(5)

lp_rem_fault(5)

man(5)

mansun(5)

me(5)

mech_spnego(5)

mm(5)

ms(5)

MT-Level(5)

mutex(5)

MWAC(5)

mwac(5)

nfssec(5)

NIS+(5)

NIS(5)

nis(5)

nwam(5)

openssl(5)

pam_allow(5)

pam_authtok_check(5)

pam_authtok_get(5)

pam_authtok_store(5)

pam_deny(5)

pam_dhkeys(5)

pam_dial_auth(5)

pam_krb5(5)

pam_krb5_migrate(5)

pam_ldap(5)

pam_list(5)

pam_passwd_auth(5)

pam_pkcs11(5)

pam_rhosts_auth(5)

pam_roles(5)

pam_sample(5)

pam_smbfs_login(5)

pam_smb_passwd(5)

pam_tsol_account(5)

pam_tty_tickets(5)

pam_unix_account(5)

pam_unix_auth(5)

pam_unix_cred(5)

pam_unix_session(5)

pam_user_policy(5)

pam_zfs_key(5)

pkcs11_kernel(5)

pkcs11_kms(5)

pkcs11_softtoken(5)

pkcs11_tpm(5)

pkg(5)

POSIX.1(5)

POSIX.2(5)

POSIX(5)

privileges(5)

prof(5)

pthreads(5)

RBAC(5)

rbac(5)

regex(5)

regexp(5)

resource_controls(5)

sgml(5)

smf(5)

smf_bootstrap(5)

smf_method(5)

smf_restarter(5)

smf_security(5)

smf_template(5)

solaris10(5)

solaris(5)

solbook(5)

stability(5)

standard(5)

standards(5)

step(5)

sticky(5)

suri(5)

SUS(5)

SUSv2(5)

SUSv3(5)

SVID3(5)

SVID(5)

tecla(5)

teclarc(5)

term(5)

threads(5)

trusted_extensions(5)

vgrindefs(5)

wbem(5)

xcvr_addr(5)

xcvr_id(5)

xcvr_inuse(5)

XNS4(5)

XNS(5)

XNS5(5)

XPG3(5)

XPG4(5)

XPG4v2(5)

XPG(5)

zones(5)

ars

- receive Solaris audit logs from a remote server

Synopsis

/usr/sbin/auditd

Description

Audit Remote Server (ARS) is the counterpart of the audit_remote(5) plugin. Data sent by the plugin can be captured, processed, and stored by the server according to the its configuration.

ARS is delivered as a disabled Solaris audit component. It is necessary to configure ARS before it can be used to process a remote audit trail. ARS configuration is twofold:

To observe and configure the ARS, use the auditconfig(1M) -setremote and -getremote options. The configuration is divided between the configuration of server and group. The server configuration allows for changing common ARS parameters, while the group keyword allows configuration of connection groups, the sets of hosts sharing the same local storage parameters.

Server configuration attributes

listen_address

The address the server listens on. An empty listen_address attribute defaults to listen on all local addresses.

listen_port

The local listening port; 0 defaults to 16162, the port associated with the “solaris-audit” Internet service name. See services(4).

login_grace_time

The server disconnects after login grace time (in seconds) if the connection has not been successfully established; 0 defaults to no limit.

max_startups

The number of concurrent unauthenticated connections to the server at which the server starts refusing new connections. The value might be specified in begin:rate:full format to allow random early drop mode, for example 10:30:60, meaning that ARS would refuse connection attempts with a probability of rate/100 (30% in our example) if there are currently 10 (from the start field) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches full (60 in our example).

Group configuration attributes

The binfile_dir, binfile_fsize, and binfile_minfree attributes follow the respective p_* attributes defined in audit_binfile(5). Brief descriptions follow.

binfile_dir

The directory for storing per host audit data.

binfile_fsize

The maximum size of each of the stored audit trail files; 0 defaults to no limit.

binfile_minfree

The minimum free space on file system with binfile_dir before the audit_binfile informs the administrator via audit_warn(1M); 0 defaults to no limit.

hosts

The hosts in the given connection group allowed to send audit data to server. A comma is a delimiter in case of multiple host entries. If hosts is empty, such connection group is called a wild card connection group. If a new connection cannot be classified to any other (non-wild card) connection group and there is an active wild card connection group configured, the new connection is classified to that connection group. Only one active wild card connection group can be configured.

For comprehensive configuration description and examples, see the section on Auditing in Oracle Solaris 11.1 Administration: Security Services.

Examples

Example 1 Audit Remote Server configuration

The following example describes steps to configure audit remote server to listen on specific address. One wild card and one non-wild card connection group will be created. The non-wild card connection group configuration will address remote audit data from tic.cz.example.com and tac.us.example.com, the trail will be stored in /var/audit/remote.

# Print the current audit remote server configuration.
# Both server and connection groups (if any) is displayed.
auditconfig -getremote

# Set address the audit remote server will listen on.
auditconfig -setremote server "listen_address=192.168.0.1"

# Create two connection groups. Note that by default the
# connection group is created with no hosts specified
# (wild card connection group).
auditconfig -setremote group create clockhouse
auditconfig -setremote group create sink

# Add hosts to the connection group (convert the wild card
# connection group no non-wild card one). Set the storage
# directory and activate the connection group.
auditconfig -setremote group active clockhouse \
    "hosts=tic.cz.example.com,tac.us.example.com,
    binfile_dir=/var/audit/remote"

# Activate the wild card connection group.
auditconfig -setremote group active sink

# Verify the audit remote server configuration.
auditconfig -getremote

# Start or refresh the audit service.
audit -s

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
system/core-os
Interface Stability
Committed

See Also

audit(1M), auditconfig(1M), auditd(1M), audit_warn(1M), services(4), attributes(5), audit_binfile(5), smf(5)

See the section on Auditing in Oracle Solaris 11.1 Administration: Security Services.

Notes

The audit service FMRI is svc:/system/auditd:default.