Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Security Services Oracle Solaris 10 1/13 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Controlling Access to Devices (Tasks)
5. Using the Basic Audit Reporting Tool (Tasks)
6. Controlling Access to Files (Tasks)
7. Using the Automated Security Enhancement Tool (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Part IV Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
19. Using Secure Shell (Tasks)
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Auditing in Oracle Solaris
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Oracle Solaris Auditing (Tasks)
31. Oracle Solaris Auditing (Reference)
Files Used in the Audit Service
Rights Profiles for Administering Auditing
Auditing and Oracle Solaris Zones
Conventions for Binary Audit File Names
Each audit token has a token type identifier, which is followed by data that is specific to the token. Each token type has its own format. The following table shows the token names with a brief description of each token. Obsolete tokens are maintained for compatibility with previous Solaris releases.
Table 31-4 Audit Tokens for Oracle Solaris Auditing
|
An audit record always begins with a header token. The header token indicates where the audit record begins in the audit trail. In the case of attributable events, the subject and the process tokens refer to the values of the process that caused the event. In the case of nonattributable events, the process token refers to the system.
The acl token records information about Access Control Lists (ACLs).
The acl token consists of four fixed fields:
A token ID that identifies this token as an acl token
A field that specifies the ACL type
An ACL value field
A field that lists the permissions associated with this ACL
The praudit -x command shows the fields of the acl token:
<acl type="1" value="root" mode="6"/>
The arbitrary token encapsulates data for the audit trail. This token consists of four fixed fields and an array of data. The fixed fields are as follows:
A token ID that identifies this token as an arbitrary token
A suggested print format field, such as hexadecimal
An item size field that specifies the size of the data that is encapsulated, such as short
A count field that provides the number of following items
The remainder of the token is composed of count of the specified type. The praudit command displays the arbitrary token as follows:
arbitrary,decimal,int,1 42
The following table shows the possible values of the print format field.
Table 31-5 Values for the arbitrary Token's Print Format Field
|
The following table shows the possible values of the item size field.
Table 31-6 Values for the arbitrary Token's Item Size Field
|
The arg token contains information about the arguments to a system call: the argument number of the system call, the argument value, and an optional description. This token allows a 32-bit integer system-call argument in an audit record.
The arg token has five fields:
A token ID that identifies this token as an arg token
An argument ID that tells which system call argument that the token refers to
The argument value
The length of the descriptive text string
The text string
The praudit -x command shows the fields of the arg token:
<argument arg-num="2" value="0x0" desc="new file uid"/>
The attribute token contains information from the file vnode.
The attribute token has seven fields:
A token ID that identifies this token as an attribute token
The file access mode and type
The owner user ID
The owner group ID
The file system ID
The node ID
The device ID that the file might represent
For further information about the file system ID and the device ID, see the statvfs(2) man page.
The attribute token usually accompanies a path token. The attribute token is produced during path searches. If a path-search error occurs, there is no vnode available to obtain the necessary file information. Therefore, the attribute token is not included as part of the audit record. The praudit -x command shows the fields of the attribute token:
<attribute mode="100644" uid="adm" gid="adm" fsid="136" nodeid="2040" device="0"/>
The cmd token records the list of arguments and the list of environment variables that are associated with a command.
The cmd token contains the following fields:
A token ID that identifies this token as a cmd token
A count of the command's arguments
The argument list
The length of the next field
The content of the arguments
A count of the environment variables
The list of environment variables
The length of the next field
The content of the environment variables
The praudit -x command shows the fields of the cmd token. The following is a truncated cmd token. The line is wrapped for display purposes.
<cmd><arge>WINDOWID=6823679</arge> <arge>COLORTERM=gnome-terminal</arge> <arge>...LANG=C</arge>...<arge>HOST=machine1</arge> <arge>LPDEST=printer1</arge>...</cmd>
The exec_args token records the arguments to an exec() system call. The exec_args token has two fixed fields:
A token ID field that identifies this token as an exec_args token
A count that represents the number of arguments that are passed to the exec() system call
The remainder of this token is composed of count strings. The praudit -x command shows the fields of the exec_args token:
<exec_args><arg>/usr/bin/sh</arg><arg>/usr/bin/hostname</arg></exec_args>
Note - The exec_args token is output only when the argv audit policy option is active.
The exec_env token records the current environment variables to an exec() system call. The exec_env token has two fixed fields:
A token ID field that identifies this token as an exec_env token
A count that represents the number of arguments that are passed to the exec() system call
The remainder of this token is composed of count strings. The praudit -x command shows the fields of the exec_env token. The line is wrapped for display purposes.
<exec_env><env>_=/usr/bin/hostname</env> <env>DTXSERVERLOCATION=local</env><env>SESSIONTYPE=altDt</env> <env>LANG=C</env><env>SDT_NO_TOOLTALK=1</env><env>SDT_ALT_HELLO=/bin/true</env> <env>PATH=/usr/bin:/usr/openwin/bin:/usr/ucb</env> <env>OPENWINHOME=/usr/openwin</env><env>LOGNAME=jdoe</env><env>USER=jdoe</env> <env>DISPLAY=:0</env><env>SHELL=/bin/csh</env><env>START_SPECKEYSD=no</env> <env>SDT_ALT_SESSION=/usr/dt/config/Xsession2.jds</env><env>HOME=/home/jdoe</env> <env>SDT_NO_DTDBCACHE=1</env><env>PWD=/home/jdoe</env><env>TZ=US/Pacific</env> </exec_env>
Note - The exec_env token is output only when the arge audit policy option is active.
The exit token records the exit status of a program. The exit token contains the following fields:
A token ID that identifies this token as an exit token
A program exit status as passed to the exit() system call
A return value that describes the exit status or that provides a system error number
The praudit command displays the exit token as follows:
exit,Error 0,0
The file token is a special token that is generated by the auditd daemon. The token marks the beginning of a new audit file and the end of an old audit file as the old file is deactivated. The initial file token identifies the previous file in the audit trail. The final file token identifies the next file in the audit trail. The auditd daemon builds a special audit record that contains this token to “link” together successive audit files into one audit trail.
The praudit -x command shows the fields of the file token. This token identifies the next file in the audit trail. The line is wrapped for display purposes.
<file iso8601="2009-04-08 14:18:26.200 -07:00"> /var/audit/machine1/files/20090408211826.not_terminated.machine1</file>
This token has been replaced by the the groups token. See groups Token.
The groups token replaces the group token. The groups token records the group entries from the process's credential.
The groups token has two fixed fields:
A token ID field that identifies this token as a groups token
A count that represents the number of groups that are contained in this audit record
The remainder of this token is composed of count group entries.
The praudit -x command shows the fields of the groups token:
<group><gid>staff</gid><gid>other</gid></group>
The header token is special in that it marks the beginning of an audit record. The header token combines with the trailer token to bracket all the other tokens in the record.
The header token has eight fields:
A token ID field that identifies this token as a header token
A byte count of the total length of the audit record, including both the header and the trailer tokens
A version number that identifies the version of the audit record structure
The audit event ID that identifies the audit event that the record represents
The event modifier that identifies special characteristics of the audit event
fe indicates a failed audit event
fp indicates the failed use of privilege
na indicates a non-attributable event
rd indicates that data is read from the object
sp indicates the successful use of privilege
wr indicates that data is written to the object
The ID modifier field has the following flags defined:
0x4000 PAD_NOTATTR nonattributable event 0x8000 PAD_FAILURE failed audit event
The address type, either IPv4 or IPv6
The machine's address
The time and date that the record was created
On 64-bit systems, the header token is displayed with a 64-bit timestamp, in place of the 32-bit timestamp.
The praudit command displays the header token as follows:
header,69,2,su,,machine1,2009-04-08 13:11:58.209 -07:00
The praudit -x command displays the fields of the header token at the beginning of the audit record. The line is wrapped for display purposes.
<record version="2" event="su" host="machine1" iso8601="2009-04-08 13:11:58.209 -07:00">
The ip_addr token contains an Internet Protocol address. Since the Solaris 8 release, the Internet address can be displayed in IPv4 format or IPv6 format. The IPv4 address uses 4 bytes. The IPv6 address uses 1 byte to describe the address type, and 16 bytes to describe the address.
The in_addr token has three fields:
A token ID that identifies this token as an in_addr token
The IP address type, either IPv4 or IPv6
An IP address
The praudit -x command shows the content of the ip_addr token:
<ip_address>machine1</ip_address>
The ip token contains a copy of an Internet Protocol header. The ip token has two fields:
A token ID that identifies this token as an ip token
A copy of the IP header, that is, all 20 bytes
The praudit command displays the ip token as follows:
ip address,0.0.0.0
The IP header structure is defined in the /usr/include/netinet/ip.h file.
The ipc token contains the System V IPC message handle, semaphore handle, or shared-memory handle that is used by the caller to identify a particular IPC object.
The ipc token has three fields:
A token ID that identifies this token as an ipc token
A type field that specifies the type of IPC object
The handle that identifies the IPC object
Note - The IPC object identifiers violate the context-free nature of the Oracle Solaris audit tokens. No global “name” uniquely identifies IPC objects. Instead, IPC objects are identified by their handles. The handles are valid only during the time that the IPC objects are active. However, the identification of IPC objects should not be a problem. The System V IPC mechanisms are seldom used, and the mechanisms all share the same audit class.
The following table shows the possible values for the IPC object type field. The values are defined in the /usr/include/bsm/audit.h file.
Table 31-7 Values for the IPC Object Type Field
|
The praudit -x command shows the fields of the ipc token:
<IPC ipc-type="shm" ipc-id="15"/>
The ipc_perm token contains a copy of the System V IPC access permissions. This token is added to audit records that are generated by IPC shared-memory events, IPC semaphore events, and IPC message events.
The ipc_perm token has eight fields:
A token ID that identifies this token as an ipc_perm token
The user ID of the IPC owner
The group ID of the IPC owner
The user ID of the IPC creator
The group ID of the IPC creator
The access mode of the IPC
The sequence number of the IPC
The IPC key value
The praudit -x command shows the fields of the ipc_perm token. The line is wrapped for display purposes.
<IPC_perm uid="jdoe" gid="staff" creator-uid="jdoe" creator-gid="staff" mode="100600" seq="0" key="0x0"/>
The values are taken from the ipc_perm structure that is associated with the IPC object.
The iport token contains the TCP or UDP port address.
The iport token has two fields:
A token ID that identifies this token as an iport token
The TCP or UDP port address
The praudit command displays the iport token as follows:
ip port,0xf6d6
The opaque token contains unformatted data as a sequence of bytes. The opaque token has three fields:
A token ID that identifies this token as an opaque token
A byte count of the data
An array of byte data
The praudit command displays the opaque token as follows:
opaque,12,0x4f5041515545204441544100
The path token contains access path information for an object.
The path token contains the following fields:
A token ID that identifies this token as an path token
The path length
The absolute path to the object that is based on the real root of the system
The praudit command displays the path token, without the second field, as follows:
path,/etc/security/audit_user
The praudit -x command shows the content of the path token:
<path>/etc/security/prof_attr</path>
The following figure shows the format of a path token.
Figure 31-4 path Token Format
The path_attr token contains access path information for an object. The access path specifies the sequence of attribute file objects below the path token object. Systems calls such as openat() access attribute files. For more information on attribute file objects, see the fsattr(5) man page.
The path_attr token contains the following fields:
A token ID that identifies this token as a path_attr token
A count that represents the number of sections of attribute file paths
count null-terminated strings
The praudit command displays the path_attr token as follows:
path_attr,1,attr_file_name
The privilege token records the use of privileges on a process. The privilege token is not recorded for privileges in the basic set. If a privilege has been removed from the basic set by administrative action, then the use of that privilege is recorded. For more information on privileges, see Privileges (Overview)
The privilege token contains the following fields:
A token ID that identifies this token as a privilege token
The length of the following field
The name of privilege set
The length of the following field
The list of privileges
The praudit -x command shows the fields of the privilege token. The line is wrapped for display purposes.
<privilege set-type="Effective">file_chown,file_dac_read, file_dac_write,net_privaddr,proc_exec,proc_fork,proc_setid</privilege>
The process token contains information about a user who is associated with a process, such as the recipient of a signal.
The process token has nine fields:
A token ID that identifies this token as a process token
The audit ID
The effective user ID
The effective group ID
The real user ID
The real group ID
The process ID
The audit session ID
A terminal ID that consists of a device ID and a machine address
The audit ID, user ID, group ID, process ID, and session ID are long instead of short.
Note - The process token fields for the session ID, the real user ID, or the real group ID might be unavailable. The value is then set to -1.
Any token that contains a terminal ID has several variations. The praudit command hides these variations. So, the terminal ID is handled the same way for any token that contains a terminal ID. The terminal ID is either an IP address and port number, or a device ID. A device ID, such as the serial port that is connected to a modem, can be zero. The terminal ID is specified in one of several formats.
The terminal ID for device numbers is specified as follows:
32-bit applications – 4-byte device number, 4 bytes unused
64-bit applications – 8-byte device number, 4 bytes unused
In releases prior to the Solaris 8 release, the terminal ID for port numbers is specified as follows:
32-bit applications – 4-byte port number, 4-byte IP address
64-bit applications – 8-byte port number, 4-byte IP address
Since the Solaris 8 release, the terminal ID for port numbers is specified as follows:
32-bit with IPv4 – 4-byte port number, 4-byte IP type, 4-byte IP address
32-bit with IPv6 – 4-byte port number, 4-byte IP type, 16-byte IP address
64-bit with IPv4 – 8-byte port number, 4-byte IP type, 4-byte IP address
64-bit with IPv6 – 8-byte port number, 4-byte IP type, 16-byte IP address
The praudit -x command shows the fields of the process token. The line is wrapped for display purposes.
<process audit-uid="-2" uid="root" gid="root" ruid="root" rgid="root" pid="9" sid="0" tid="0 0 0.0.0.0"/>
The following figure shows the format of a process token.
Figure 31-5 process Token Format
The return token contains the return status of the system call (u_error) and the process return value (u_rval1).
The return token has three fields:
A token ID that identifies this token as a return token
The error status of the system call
The return value of the system call
The return token is always returned as part of kernel-generated audit records for system calls. In application auditing, this token indicates exit status and other return values.
The praudit command displays the return token for a system call as follows:
return,failure: Operation now in progress,-1
The praudit -x command shows the fields of the return token:
<return errval="failure: Operation now in progress" retval="-1/">
The sequence token contains a sequence number. The sequence number is incremented every time an audit record is added to the audit trail. This token is useful for debugging.
The sequence token has two fields:
A token ID that identifies this token as a sequence token
A 32-bit unsigned long field that contains the sequence number
The praudit command shows the field of the sequence token:
sequence,1292
The praudit -x command shows the content of the sequence token:
<sequence seq-num="1292"/>
Note - The sequence token is output only when the seq audit policy option is active.
The socket token contains information that describes an Internet socket. In some instances, the token has four fields:
A token ID that identifies this token as a socket token
A socket type field that indicates the type of socket referenced, either TCP, UDP, or UNIX
The local port
The local IP address
The praudit command displays this instance of the socket token as follows:
socket,0x0002,0x83b1,localhost
In most instances, the token has eight fields:
A token ID that identifies this token as a socket token
The socket domain
A socket type field that indicates the type of socket referenced, either TCP, UDP, or UNIX
The local port
The address type, either IPv4 or IPv6
The local IP address
The remote port
The remote IP address
Since the Solaris 8 release, the Internet address can be displayed in IPv4 format or IPv6 format. The IPv4 address uses 4 bytes. The IPv6 address uses 1 byte to describe the address type, and 16 bytes to describe the address.
The praudit command displays the socket token as follows:
socket,0x0002,0x0002,0x83cf,example1,0x2383,server1.Subdomain.Domain.COM
The praudit -x command shows the fields of the socket token. The line is wrapped for display purposes.
<socket sock_domain="0x0002" sock_type="0x0002" lport="0x83cf" laddr="example1" fport="0x2383" faddr="server1.Subdomain.Domain.COM"/>
The subject token describes a user who performs or attempts to perform an operation. The format is the same as the process token.
The subject token has nine fields:
A token ID that identifies this token as a subject token
The audit ID
The effective user ID
The effective group ID
The real user ID
The real group ID
The process ID
The audit session ID
A terminal ID that consists of a device ID and a machine IP address
The audit ID, user ID, group ID, process ID, and session ID are long instead of short.
Note - The subject token fields for the session ID, the real user ID, or the real group ID might be unavailable. The value is then set to -1.
Any token that contains a terminal ID has several variations. The praudit command hides these variations. So, the terminal ID is handled the same way for any token that contains a terminal ID. The terminal ID is either an IP address and port number, or a device ID. A device ID, such as the serial port that is connected to a modem, can be zero. The terminal ID is specified in one of several formats.
The terminal ID for device numbers is specified as follows:
32-bit applications – 4-byte device number, 4 bytes unused
64-bit applications – 8-byte device number, 4 bytes unused
In releases prior to the Solaris 8 release, the terminal ID for port numbers is specified as follows:
32-bit applications – 4-byte port number, 4-byte IP address
64-bit applications – 8-byte port number, 4-byte IP address
Since the Solaris 8 release, the terminal ID for port numbers is specified as follows:
32-bit with IPv4 – 4-byte port number, 4-byte IP type, 4-byte IP address
32-bit with IPv6 – 4-byte port number, 4-byte IP type, 16-byte IP address
64-bit with IPv4 – 8-byte port number, 4-byte IP type, 4-byte IP address
64-bit with IPv6 – 8-byte port number, 4-byte IP type, 16-byte IP address
The subject token is always returned as part of kernel-generated audit records for system calls. The praudit command displays the subject token as follows:
subject,jdoe,root,root,root,root,1631,1421584480,8243 65558 machine1
The praudit -x command shows the fields of the subject token. The line is wrapped for display purposes.
<subject audit-uid="jdoe" uid="root" gid="root" ruid="root" rgid="root" pid="1631" sid="1421584480" tid="8243 65558 machine1"/>
The following figure shows the format of the subject token.
Figure 31-6 subject Token Format
The text token contains a text string.
The text token has three fields:
A token ID that identifies this token as a text token
The length of the text string
The text string itself
The praudit -x command shows the content of the text token:
<text>booting kernel</text>
The two tokens, header and trailer, are special in that they distinguish the end points of an audit record and bracket all the other tokens. A header token begins an audit record. A trailer token ends an audit record. The trailer token is an optional token. The trailer token is added as the last token of each record only when the trail audit policy option has been set.
When an audit record is generated with trailers turned on, the auditreduce command can verify that the trailer correctly points back to the record header. The trailer token supports backward seeks of the audit trail.
The trailer token has three fields:
A token ID that identifies this token as a trailer token
A pad number to aid in marking the end of the record
The total number of characters in the audit record, including both the header and trailer tokens
The praudit command displays the trailer token as follows:
trailer,136
The uauth token records the use of authorization with a command or action.
The uauth token contains the following fields:
A token ID that identifies this token as a uauth token
The length of the text in the following field
A list of authorizations
The praudit command displays the uauth token as follows:
use of authorization,solaris.admin.printer.delete
The upriv token records the use of privilege with a command or action.
The praudit -x command shows the fields of the upriv token:
<use_of_privilege result="successful use of priv">proc_setid</use_of_privilege>
The zonename token records the zone in which the audit event occurred. The string “global” indicates audit events that occur in the global zone.
The zonename token contains the following fields:
A token ID that identifies this token as a zonename token
The length of the text in the following field
The name of the zone
The praudit -x command shows the content of the zonename token:
<zone name="graphzone"/>