Managing Auditing in Oracle® Solaris 11.2

Exit Print View

Updated: July 2014
 
 

Example: Configuring Oracle Solaris Auditing

This section provides an example of how you configure and implement Oracle Solaris auditing. It begins with the configuration of different attributes of the service according to specific needs and requirements. After configuration is completed, the audit service is started to effect the configuration settings. Each time that you need to revise an existing audit configuration to accommodate new requirements, follow the same sequence of actions in this example:

  1. Configure the audit parameters.

  2. Refresh the audit service.

  3. Verify the new audit configuration.

  • First, the administrator adds a temporary policy.

    # auditconfig -t -setpolicy +zonename
    # auditconfig -getpolicy
    configured audit policies = ahlt,arge,argv,perzone
    active audit policies = ahlt,arge,argv,perzone,zonename
  • Then, the administrator specifies queue controls.

    # auditconfig -setqctrl 200 20 0 0
    # auditconfig -getqctrl
    configured audit queue hiwater mark (records) = 200
    configured audit queue lowater mark (records) = 20
    configured audit queue buffer size (bytes) = 8192
    configured audit queue delay (ticks) = 20
    active audit queue hiwater mark (records) = 200
    active audit queue lowater mark (records) = 20
    active audit queue buffer size (bytes) = 8192
    active audit queue delay (ticks) = 20
  • Then, the administrator specifies plugin attributes.

    • For the audit_binfile plugin, the administrator removes the qsize value.

      # auditconfig -getplugin audit_binfile
      Plugin: audit_binfile
      Attributes: p_dir=/audit/sys1.1,/var/audit;
      p_minfree=2;p_fsize=4G;
      Queue size: 200
      # auditconfig -setplugin audit_binfile  "" 0
      # auditconfig -getplugin audit_binfile
      Plugin: audit_binfile
      Attributes: p_dir=/audit/sys1.1,/var/audit
      p_minfree=2;p_fsize=4G;
    • For the audit_syslog plugin, the administrator specifies that successful login and logout events and failed executables be sent to syslog. The qsize for this plugin is set to 150.

      # auditconfig -setplugin audit_syslog active p_flags=+lo,-ex 150
      # auditconfig -getplugin audit_syslog
      auditconfig -getplugin audit_syslog
      Plugin: audit_syslog
      Attributes: p_flags=+lo,-ex;
      Queue size: 150
    • The administrator does not configure or use the audit_remote plugin.

  • Then, the administrator refreshes the audit service and verifies the configuration.

    • The temporary zonename policy is no longer set.

      # audit -s
      # auditconfig -getpolicy
      configured audit policies = ahlt,arge,argv,perzone
      active audit policies = ahlt,arge,argv,perzone
    • The queue controls remain the same.

      # auditconfig -getqctrl
      configured audit queue hiwater mark (records) = 200
      configured audit queue lowater mark (records) = 20
      configured audit queue buffer size (bytes) = 8192
      configured audit queue delay (ticks) = 20
      active audit queue hiwater mark (records) = 200
      active audit queue lowater mark (records) = 20
      active audit queue buffer size (bytes) = 8192
      active audit queue delay (ticks) = 20
    • The audit_binfile plugin does not have a specified queue size. The audit_syslog plugin has a specified queue size.

      # auditconfig -getplugin
      Plugin: audit_binfile
      Attributes: p_dir=/var/audit;p_fsize=4G;p_minfree=2;
      
      Plugin: audit_syslog
      Attributes: p_flags=+lo,-ex;
      Queue size: 50
      ...