This section provides an example of how you configure and implement Oracle Solaris auditing. It begins with the configuration of different attributes of the service according to specific needs and requirements. After configuration is completed, the audit service is started to effect the configuration settings. Each time that you need to revise an existing audit configuration to accommodate new requirements, follow the same sequence of actions in this example:
Configure the audit parameters.
Refresh the audit service.
Verify the new audit configuration.
First, the administrator adds a temporary policy.
# auditconfig -t -setpolicy +zonename # auditconfig -getpolicy configured audit policies = ahlt,arge,argv,perzone active audit policies = ahlt,arge,argv,perzone,zonename
Then, the administrator specifies queue controls.
# auditconfig -setqctrl 200 20 0 0 # auditconfig -getqctrl configured audit queue hiwater mark (records) = 200 configured audit queue lowater mark (records) = 20 configured audit queue buffer size (bytes) = 8192 configured audit queue delay (ticks) = 20 active audit queue hiwater mark (records) = 200 active audit queue lowater mark (records) = 20 active audit queue buffer size (bytes) = 8192 active audit queue delay (ticks) = 20
Then, the administrator specifies plugin attributes.
For the audit_binfile plugin, the administrator removes the qsize value.
# auditconfig -getplugin audit_binfile Plugin: audit_binfile Attributes: p_dir=/audit/sys1.1,/var/audit; p_minfree=2;p_fsize=4G; Queue size: 200 # auditconfig -setplugin audit_binfile "" 0 # auditconfig -getplugin audit_binfile Plugin: audit_binfile Attributes: p_dir=/audit/sys1.1,/var/audit p_minfree=2;p_fsize=4G;
For the audit_syslog plugin, the administrator specifies that successful login and logout events and failed executables be sent to syslog. The qsize for this plugin is set to 150.
# auditconfig -setplugin audit_syslog active p_flags=+lo,-ex 150 # auditconfig -getplugin audit_syslog auditconfig -getplugin audit_syslog Plugin: audit_syslog Attributes: p_flags=+lo,-ex; Queue size: 150
The administrator does not configure or use the audit_remote plugin.
Then, the administrator refreshes the audit service and verifies the configuration.
The temporary zonename policy is no longer set.
# audit -s # auditconfig -getpolicy configured audit policies = ahlt,arge,argv,perzone active audit policies = ahlt,arge,argv,perzone
The queue controls remain the same.
# auditconfig -getqctrl configured audit queue hiwater mark (records) = 200 configured audit queue lowater mark (records) = 20 configured audit queue buffer size (bytes) = 8192 configured audit queue delay (ticks) = 20 active audit queue hiwater mark (records) = 200 active audit queue lowater mark (records) = 20 active audit queue buffer size (bytes) = 8192 active audit queue delay (ticks) = 20
The audit_binfile plugin does not have a specified queue size. The audit_syslog plugin has a specified queue size.
# auditconfig -getplugin Plugin: audit_binfile Attributes: p_dir=/var/audit;p_fsize=4G;p_minfree=2; Plugin: audit_syslog Attributes: p_flags=+lo,-ex; Queue size: 50 ...