This procedure enables audits every zone identically. This method requires the least computer overhead and administrative resources.
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
Complete the tasks in Configuring the Audit Service, with the following exceptions:
Do not enable perzone audit policy.
Set the zonename policy. This policy adds the name of the zone to every audit record.
# auditconfig -setpolicy +zonename
If you modified the audit_class or audit_event file, copy it in one of two ways:
You can loopback mount the files.
You can copy the files.
The non-global zone must be running.
# zoneadm -z non-global-zone halt
# zonecfg -z non-global-zone zone: add fs zone/fs: set special=/etc/security/audit-file zone/fs: set dir=/etc/security/audit-file zone/fs: set type=lofs zone/fs: add options [ro,nodevices,nosetuid] zone/fs: commit zone/fs: end zone: exit #
# zoneadm -z non-global-zone boot
Later, if you modify an audit configuration file in the global zone, you reboot each zone to refresh the loopback-mounted files in the non-global zones.
# ls /zone/zonename/root/etc/security/
# cp /etc/security/audit-file /zone/zonename/root/etc/security/audit-file
Later, if you change one of these files in the global zone, you must copy the changed file to the non-global zones.
The non-global zones are audited when the audit service is restarted in the global zone or when the zones are rebooted.
In this example, the system administrator has modified the audit_class, audit_event, and audit_warn files.
The audit_warn file is read in the global zone only, so does not have to be mounted into the non-global zones.
On this system, machine1, the administrator has created two non-global zones, machine1–webserver and machine1–appserver. The administrator has finished modifying the audit configuration files. If the administrator later modifies the files, the zone must be rebooted to re-read the loopback mounts.
# zoneadm -z machine1-webserver halt # zoneadm -z machine1-appserver halt # zonecfg -z machine1-webserver webserver: add fs webserver/fs: set special=/etc/security/audit_class webserver/fs: set dir=/etc/security/audit_class webserver/fs: set type=lofs webserver/fs: add options [ro,nodevices,nosetuid] webserver/fs: commit webserver/fs: end webserver: add fs webserver/fs: set special=/etc/security/audit_event webserver/fs: set dir=/etc/security/audit_event webserver/fs: set type=lofs webserver/fs: add options [ro,nodevices,nosetuid] webserver/fs: commit webserver/fs: end webserver: exit # # zonecfg -z machine1-appserver appserver: add fs appserver/fs: set special=/etc/security/audit_class appserver/fs: set dir=/etc/security/audit_class appserver/fs: set type=lofs appserver/fs: add options [ro,nodevices,nosetuid] appserver/fs: commit appserver/fs: end appserver: exit
When the non-global zones are rebooted, the audit_class and audit_event files are read-only in the zones.