Managing Auditing in Oracle® Solaris 11.2

Exit Print View

Updated: July 2014
 
 

Audit Logs

    Audit records are collected in audit logs. The audit service provides three output modes for audit records.

  • Logs that are called audit files store audit records in binary format. The set of audit files from a system or site provides a complete audit record. The complete audit record is called the audit trail. These logs are created by the audit_binfile plugin, and can be reviewed by the praudit and auditreduce post-selection commands.

  • The audit_remote plugin streams audit records to a remote repository. The repository is responsible for maintaining an audit trail and supplying post-selection tools.

  • The syslog utility collects and stores text summaries of the audit record. A syslog record is not complete. The following example shows a syslog entry for a login audit record:

    Oct 10  10:10:20 example_system auditd: [ID 6472 audit.notice] \
    login - login ok session 4076172534 by root as root:other

A site can configure auditing to collect audit records in all formats. You can configure the systems at your site to use binary mode locally, to send binary files to a remote repository, and to use syslog mode. The following table compares binary audit records with syslog audit records.

Table 1-1  Comparison of Binary, Remote, and syslog Audit Records
Feature
Binary and Remote Records
syslog Records
Protocol
Binary – Writes to the file system
Remote – Streams to a remote repository
Uses UDP for remote logging
Data type
Binary
Text
Record length
No limit
Up to 1024 characters per audit record
Location
Binary – Stored in a zpool on the system
Remote – Remote repository
Stored in a location that is specified in the syslog.conf file
How to configure
Binary – Set the p_dir attribute on the audit_binfile plugin
Remote – Set the p_hosts attribute on the audit_remote plugin and make the plugin active
Make the audit_syslog plugin active and configure the syslog.conf file
How to read
Binary – Typically, in batch mode, browser output in XML
Remote – Repository dictates the procedure
In real time or searched by scripts that you have created for syslog
Plain text output
Completeness
Guaranteed to be complete and to appear in the correct order
Not guaranteed to be complete
Time stamp
Coordinated Universal Time (UTC)
Time on the system that is being audited

About Binary Records

Binary records provide the greatest security and coverage. Binary output meets the requirements of security certifications, such as the Common Criteria audit requirements.

The audit_binfile plugin writes the records to a file system that you protect from snooping. On a single system, all binary records are collected and displayed in order. The UTC time stamp on binary logs enables accurate comparison when systems on one audit trail are distributed across time zones. The praudit -x command enables you to view the records in a browser in XML. You can also use scripts to parse the XML output.

The audit_remote plugin writes the records to a remote repository. The repository handles storage and post-selection.

About syslog Audit Records

In contrast, the syslog records might provide greater convenience and flexibility. For example, you can collect the syslog data from a variety of sources. Also, when you monitor audit.notice events in the syslog.conf file, the syslog utility logs an audit record summary with the current time stamp. You can use the same management and analysis tools that you have developed for syslog messages from a variety of sources, including workstations, servers, firewalls, and routers. The records can be viewed in real time, and can be stored on a remote system.

By using syslog.conf to store audit records remotely, you protect log data from alteration or deletion by an attacker. However, consider the following drawbacks to the syslog mode.

  • The records are susceptible to network attacks such as denial of service and spoofed source addresses.

  • The UDP protocol can drop packets or can deliver packets out of order.

  • The 1024 character limit for syslog entries can cause some audit records to be truncated in the log.

  • On a single system, not all audit records are collected, and might not be displayed in order.

  • Each audit record is stamped with the local system's date and time. Thus, you cannot rely on the time stamp to construct an audit trail for several systems.