Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Security Services Oracle Solaris 10 1/13 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Controlling Access to Devices (Tasks)
5. Using the Basic Audit Reporting Tool (Tasks)
6. Controlling Access to Files (Tasks)
7. Using the Automated Security Enhancement Tool (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Part IV Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
19. Using Secure Shell (Tasks)
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Auditing in Oracle Solaris
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Oracle Solaris Auditing (Tasks)
Oracle Solaris Auditing (Task Map)
Configuring Audit Files (Task Map)
Configuring Audit Files (Tasks)
How to Modify the audit_control File
How to Configure syslog Audit Logs
How to Change a User's Audit Characteristics
How to Change an Audit Event's Class Membership
Configuring and Enabling the Audit Service (Task Map)
Configuring and Enabling the Audit Service (Tasks)
How to Create Partitions for Audit Files
How to Configure the audit_warn Email Alias
How to Enable the Audit Service
How to Disable the Audit Service
How to Update the Audit Service
Configuring the Audit Service in Zones (Tasks)
How to Configure All Zones Identically for Auditing
How to Configure Per-Zone Auditing
Managing Audit Records (Task Map)
How to Display Audit Record Formats
How to Merge Audit Files From the Audit Trail
How to Select Audit Events From the Audit Trail
How to View the Contents of Binary Audit Files
How to Clean Up a not_terminated Audit File
How to Prevent Audit Trail Overflow
Troubleshooting Oracle Solaris Auditing (Tasks)
Troubleshooting Oracle Solaris Auditing (Task Map)
How to Determine That Oracle Solaris Auditing Is Running
How to Lessen the Volume of Audit Records That Are Produced
How to Audit All Commands by Users
How to Find Audit Records of Changes to Specific Files
How to Modify a User's Preselection Mask
How to Prevent the Auditing of Certain Events
How to Limit the Size of Binary Audit Files
The following task map points to procedures for troubleshooting Oracle Solaris auditing.
|
If you believe that auditing has been activated, but no audit records are in your primary audit directory, try the following.
Before You Begin
You have correctly configured the hosts database in your naming service and it is functioning. To debug naming service problems, see the following:
nsswitch.conf(4) man page
System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)
System Administration Guide: Naming and Directory Services (NIS+)
# modinfo | grep c2audit
No listing indicates that auditing is not running. The following listing indicates that auditing is running:
40 132ce90 14230 186 1 c2audit (C2 system call)
Verify the status of the auditd service. The following listing indicates that auditing is not running:
# svcs -x auditd svc:/system/auditd:default (Solaris audit daemon) State: disabled since Fri Aug 14 19:02:35 2009 Reason: Disabled by an administrator. See: http://sun.com/msg/SMF-8000-05 See: auditd(1M) See: audit(1M) Impact: This service is not running.
The following listing indicates that the audit service is running:
# svcs auditd STATE STIME FMRI online 10:10:10 svc:/system/auditd:default
The following listing indicates that auditing is not running:
# auditconfig -getcond auditconfig: auditon(2) failed. auditconfig: error = Operation not supported(48)
The following listing indicates that auditing is running:
# auditconfig -getcond audit condition = auditing
If the audit service is not running, enable it. For the procedure, see How to Enable the Audit Service.
# audit -v /etc/security/audit_control audit: audit_control must have either a valid "dir:" entry or a valid "plugin:" entry with "p_dir:" specified.
Correct the errors. The message syntax ok indicates that the file is syntactically correct.
# grep flags /etc/security/audit_control flags:lo naflags:na,lp
Supply valid values if the audit_control file has invalid values. In the preceding example, lp is an invalid class.
# tail audit_user ... # User Level Audit User File # # File Format # # username:always:never # root:lo:no admin:lp:no
Supply valid values if the audit_user file contains invalid values. In the preceding example, lp is an invalid class.
For example, the following audit_control file contains a class that Oracle Solaris software did not deliver:
# grep flags /etc/security/audit_control flags:lo,pf naflags:na,lo
For a description of creating the pf class, see How to Add an Audit Class.
The audit class mask must be unique.
# grep pf /etc/security/audit_class 0x10000000:pf:profile command
If the class is not defined, define it. Otherwise, remove the class from the audit_control and audit_user files.
# grep pf /etc/security/audit_event 6180:AUE_prof_cmd:profile command:ua,as,pf
If events are not assigned to the class, assign the appropriate events to this class.
# audit -s
For the procedure, see How to Enable the Audit Service.
After you have determined which events must be audited at your site, use the following suggestions to create manageable audit files.
Specifically, avoid adding events and audit tokens to the audit trail. The following policies affect the size of the audit trail.
arge policy – Adds environment variables to exec audit events.
argv policy – Adds command parameters to exec audit events.
public policy – If file events are being audited, adds an event to the audit trail every time an auditable event happens to a public file. File classes include fa, fc, fd, fm, fr, fw, and cl. For the definition of a public file, see Audit Terminology and Concepts.
path policy – Adds a path token to audit events that include an optional path token.
group policy – Adds a group token to audit events that include an optional newgroups token.
seq policy – Adds a sequence token to every audit event.
trail policy – Adds a trailer token to every audit event.
windata_down policy – On a system that is configured with Trusted Extensions, adds events when information in a labeled window is downgraded.
windata_up policy – On a system that is configured with Trusted Extensions, adds events when information in a labeled window is upgraded.
zonename policy – Adds the zone name to every audit event. If the global zone is the only configured zone, adds zone, global to every audit event.
The following audit record shows the use of the ls command. The ex class is being audited and the default policy is in use:
header,375,2,execve(2),,mach1,2009-08-06 11:19:57.388 -07:00 path,/usr/bin/ls subject,jdoe,root,root,root,root,1401,737,0 0 mach1 return,success,0
The following is the same record when all policies are turned on:
header,375,2,execve(2),,mach1,2009-08-06 11:19:57.388 -07:00 path,/usr/bin/ls attribute,100555,root,bin,136,432,0 exec_args,1,ls exec_env,9,HOME=/,HZ=,LANG=C,LOGNAME=root,MAIL=/var/mail/root,PATH=/u sr/sbin:/usr/bin,SHELL=/sbin/sh,TERM=xterm,TZ=US/Pacific path,/lib/ld.so.1 attribute,100755,root,bin,136,4289,0 subject,jdoe,root,root,root,root,1401,737,0 0 mach1 group,root,other,bin,sys,adm,uucp,mail,tty,lp,nuucp,daemon return,success,0 zone,global sequence,313540 trailer,375
This strategy works only if you are not required to keep binary records of the audit events that you send to the syslog logs. By using the auditreduce command, you can then strip the binary files of these records, thus reducing the size of the binary files.
Reduce the amount of auditing for all users by reducing the number of audit classes in the audit_control file. In the audit_user file, add audit classes for specific users and roles.
You can create audit classes at your site. Into these classes, put all the audit events that you need to monitor. For the procedure, see How to Add an Audit Class.
Note - If you modify existing audit class assignments, your modifications might be lost when you upgrade to a newer version of the Oracle Solaris OS. Carefully review the install logs.
As part of site security policy, some sites require audit records of all commands that are run by the root user or by administrative roles. Some sites also require audit records of all commands that are run by users.
The ex class audits all calls to the exec() and execve() functions. The lo class audits logins, logouts, and screen locks. The following ouput lists all the events in the ex and lo classes.
7:AUE_EXEC:exec(2):ps,ex 23:AUE_EXECVE:execve(2):ps,ex ... 6152:AUE_login:login - local:lo 6153:AUE_logout:logout:lo 6154:AUE_telnet:login - telnet:lo 6155:AUE_rlogin:login - rlogin:lo 6158:AUE_rshd:rsh access:lo 6159:AUE_su:su:lo 6162:AUE_rexecd:rexecd:lo 6163:AUE_passwd:passwd:lo 6164:AUE_rexd:rexd:lo 6165:AUE_ftpd:ftp access:lo 6171:AUE_ftpd_logout:ftp logout:lo 6172:AUE_ssh:login - ssh:lo 6173:AUE_role_login:role login:lo 6212:AUE_newgrp_login:newgrp login:lo 6213:AUE_admin_authenticate:admin login:lo 6221:AUE_screenlock:screenlock - lock:lo 6222:AUE_screenunlock:screenlock - unlock:lo 6227:AUE_zlogin:login - zlogin:lo
In the following example, the site has created three roles, sysadm, auditadm, and netadm. These roles and the root account are audited for the exec and lo classes:
## audit_user file root:lo,ex:no sysadm:lo,ex:no auditadm:lo,ex:no netadm:lo,ex:no
## audit_control file ... naflags:lo ...
## audit_control file flags:lo,ex naflags:lo ...
The output appears similar to the following:
header,375,2,execve(2),,mach1,2009-08-06 11:19:57.388 -07:00 path,/usr/bin/ls subject,jdoe,root,root,root,root,1401,737,0 0 mach1 return,success,0
## audit_startup script ... auditconfig -setpolicy +argv ...
The exec_args token records the command arguments:
header,375,2,execve(2),,mach1,2009-08-06 11:19:57.388 -07:00 path,/usr/bin/ls exec_args,1,ls subject,jdoe,root,root,root,root,1401,737,0 0 mach1 return,success,0
## audit_startup script ... auditconfig -setpolicy +arge ...
The exec_env token records the command environment:
header,375,2,execve(2),,mach1,2009-08-06 11:19:57.388 -07:00 path,/usr/bin/ls exec_env,9,HOME=/,HZ=,LANG=C,LOGNAME=root,MAIL=/var/mail/root, PATH=/usr/sbin:/usr/bin,SHELL=/sbin/sh,TERM=xterm,TZ=US/Pacific subject,jdoe,root,root,root,root,1401,737,0 0 mach1 return,success,0
## audit_startup script ... auditconfig -setpolicy +argv auditconfig -setpolicy +arge ...
The output appears similar to the following:
header,375,2,execve(2),,mach1,2009-08-06 11:19:57.388 -07:00 path,/usr/bin/ls exec_args,1,ls exec_env,9,HOME=/,HZ=,LANG=C,LOGNAME=root,MAIL=/var/mail/root, PATH=/usr/sbin:/usr/bin,SHELL=/sbin/sh,TERM=xterm,TZ=US/Pacific subject,jdoe,root,root,root,root,1401,737,0 0 mach1 return,success,0
If your goal is to log file writes against a limited number of files, such as /etc/passwd and the files in the /etc/default directory, you use the auditreduce command to locate the files.
Adding the class to the audit_user file generates fewer records than adding the class to the audit_control file.
## audit_user file root:fw:no sysadm:fw:no auditadm:fw:no netadm:fw:no
## audit_control file flags:lo,fw ...
# /usr/sbin/auditreduce -o file=/etc/passwd,/etc/default -O filechg
The auditreduce command searches the audit trail for all instances of the file argument. The command creates a binary file with the suffix filechg which contains all records that include the pathnames of the files of interest. See the auditreduce(1M) man page for the syntax of the -o file=pathname option.
# /usr/sbin/praudit *filechg
If you modify the audit_control or audit_user file, the preselection mask of users who are already logged in does not change. You must force the preselection mask to change.
Before You Begin
You enabled auditing, users logged in, and then you changed the value of flags or naflags in the audit_control file. You want the users who are already logged in to be audited for these newly selected audit classes.
You have two options. You can terminate the existing sessions or use the auditconfig command to update the users' preselection masks.
Users can log out and log back in, or the administrator can manually terminate (kill) active sessions. The new sessions will inherit the new preselection mask. However, terminating users could be impractical.
Assume that the flags attribute in the audit_control file was changed from lo to lo,ex.
First, find all regular users. In the following example, the administrator finds all processes that are not owned by root, daemon, or lp:
# /usr/bin/pgrep -v -u root,daemon,lp | more .. 3941 3948 3949 10640 ...
Then, use one of the user's processes to find the user's audit ID:
# auditconfig -getpinfo 3941 audit id = jdoe(1002) process preselection mask = lo(0x1000,0x1000) terminal id (maj,min,host) = 9426,65559,mach1(192.168.123.234) audit session id = 713
Note that the user's preselection mask includes the lo class and does not include the newly added ex class.
The user's audit ID is 1002. The user's audit session ID is 713.
Use one of the following two methods:
# /usr/sbin/auditconfig -setsmask lo,ex 713
# /usr/sbin/auditconfig -setumask lo,ex 1002
# auditconfig -getpinfo 3941 audit id = jdoe(1002) process preselection mask = ex,lo(0x40001000,0x40001000) terminal id (maj,min,host) = 9426,65559,mach1(192.168.123.234) audit session id = 713
For maintenance purposes, sometimes a site wants to prevent audit events from being audited.
For example, events 26 and 27 belong to the pm class.
## audit_event file ... 25:AUE_VFORK:vfork(2):ps 26:AUE_SETGROUPS:setgroups(2):pm 27:AUE_SETPGRP:setpgrp(2):pm 28:AUE_SWAPON:swapon(2):no ...
Change these events to the no class.
## audit_event file ... 25:AUE_VFORK:vfork(2):ps 26:AUE_SETGROUPS:setgroups(2):no 27:AUE_SETPGRP:setpgrp(2):no 28:AUE_SWAPON:swapon(2):no ...
If the pm class is currently being audited, existing sessions will still audit events 26 and 27. To stop these events from being audited, you must update the users' preselection masks.
Caution - Never comment out events in the audit_event file. This file is used by the praudit command to read binary audit files. Archived audit files might contain events that are listed in the file. |
Binary audit files grow without limit. For ease of archiving and searching, you might want to limit the size. You can also create smaller binary files from the original file.
The p_fsize attribute to the audit_binfile.so plugin enables you to limit the size of an audit file. The default value is zero (0), which allows the file to grow without limit. The value is specified in bytes, from 512,000 to 2,147,483,647. When the specified size is reached, the current audit file is closed and a new file is opened.
In the following example, you limit the size of and audit file to 1Mbyte:
plugin:name=audit_binfile.so; p_dir:/var/audit; p_fsize=1024000
The auditreduce -lowercase options find specific records.
The auditreduce -Uppercase options write your selections to a file. For more information, see the auditreduce(1M) man page.
Oracle Solaris can audit all logins, independent of source.
This class audits logins, logouts, and screen locks.
## audit_control file flags:lo naflags:lo ...
Note - To audit ssh logins, your Oracle Solaris system must be running the Oracle Solaris ssh daemon. This daemon is modified for Oracle Solaris auditing. For more information, see Secure Shell and the OpenSSH Project.
The FTP service creates logs of its file transfers. The SFTP service, which runs under the SSH protocol, can be audited by Oracle Solaris auditing. Logins to both services can be audited by Oracle Solaris auditing.
For the available logging options, read the “Logging Capabilities” section. In particular, the log commands and log transfers options might provide useful logs.
File transfers over an SSH connection use the sftp command. These transfers can be recorded by using the +fr audit flag. To audit failed sftp file transfers, audit the -fr audit flag.
The following output is from a successful sftp session:
header,138,2,open(2) - read,,ma2,2009-08-25 14:48:58.770 -07:00 path,/home/jdoe/vpn_connect attribute,100644,jdoe,staff,391,437,0 subject,jdoe,jdoe,staff,jdoe,staff,4444,120289379,8457 65558 ma1 return,success,6
The -v option can be repeated up to three times.
# sftp -vvv [ other options ] hostname
As the following output indicates, logging in to and out of the ftpd daemon generates audit records.
% bsmrecord -c lo | more ... in.ftpd program /usr/sbin/in.ftpd See ftp access event ID 6165 AUE_ftpd class lo (0x00001000) header subject [text] error message return in.ftpd program /usr/sbin/in.ftpd See ftp logout event ID 6171 AUE_ftpd_logout class lo (0x00001000) header subject return ...
The SSH login records all accesses to the sftp command.
... /usr/lib/ssh/sshd program /usr/lib/ssh/sshd See login - ssh event ID 6172 AUE_ssh class lo (0x00001000) header subject [text] error message return