Managing Auditing in Oracle® Solaris 11.2

Exit Print View

Updated: July 2014

How to Audit All Commands by Users

As part of site security policy, some sites require audit records of all commands that are run by the root account and administrative roles. Some sites can require audit records of all commands by all users. Additionally, sites can require that the command arguments and environment be recorded.

Before You Begin

To preselect audit classes and set audit policy, you must become an administrator who is assigned the Audit Configuration rights profile. To assign audit flags to users, roles, and rights profiles, you must assume the root role.

  1. Display user level event information for lo and ex classes.

    The ex class audits all calls to the exec() and execve() functions.

    The lo class audits logins, logouts, and screen locks. The following output lists all the events in the ex and lo classes.

    % auditconfig -lsevent | grep " lo "
    AUE_login                       6152 lo login - local
    AUE_logout                      6153 lo logout
    AUE_telnet                      6154 lo login - telnet
    AUE_rlogin                      6155 lo login - rlogin
    AUE_rshd                        6158 lo rsh access
    AUE_su                          6159 lo su
    AUE_rexecd                      6162 lo rexecd
    AUE_passwd                      6163 lo passwd
    AUE_rexd                        6164 lo rexd
    AUE_ftpd                        6165 lo ftp access
    AUE_ftpd_logout                 6171 lo ftp logout
    AUE_ssh                         6172 lo login - ssh
    AUE_role_login                  6173 lo role login
    AUE_newgrp_login                6212 lo newgrp login
    AUE_admin_authenticate          6213 lo admin login
    AUE_screenlock                  6221 lo screenlock - lock
    AUE_screenunlock                6222 lo screenlock - unlock
    AUE_zlogin                      6227 lo login - zlogin
    AUE_su_logout                   6228 lo su logout
    AUE_role_logout                 6229 lo role logout
    AUE_smbd_session                6244 lo smbd(1m) session setup
    AUE_smbd_logoff                 6245 lo smbd(1m) session logoff
    AUE_ClientConnect               9101 lo client connection to x server
    AUE_ClientDisconnect            9102 lo client disconn. from x server
    % auditconfig -lsevent | egrep " ex |,ex |ex,"
    AUE_EXECVE                        23 ex,ps execve(2)
  2. Audit the lo and ex classes.
    • To audit these classes for administrative roles, modify the roles' security attributes.

      In the following example, root is a role. The site has created three roles, sysadm, auditadm, and netadm. All roles are audited for the success and failure of events in the ex and lo classes.

      # rolemod -K audit_flags=lo,ex:no root
      # rolemod -K audit_flags=lo,ex:no sysadm
      # rolemod -K audit_flags=lo,ex:no auditadm
      # rolemod -K audit_flags=lo,ex:no netadm
    • To audit these classes for all users, set the system-wide flags.
      # auditconfig -setflags lo,ex

      The output appears similar to the following:

      header,129,2,AUE_EXECVE,,mach1,2010-10-14 12:17:12.616 -07:00
      subject,jdoe,root,root,root,root,2486,50036632,82 0 mach1
  3. Specify additional information to be recorded about command use.
    • To record the arguments to commands, add the argv policy.
      # auditconfig -setpolicy +argv

      The exec_args token records the command arguments:

      header,151,2,AUE_EXECVE,,mach1,2010-10-14 12:26:17.373 -07:00
      subject,jdoe,root,root,root,root,2494,50036632,82 0 mach1
    • To record the environment in which the command is run, add the arge policy.
      # auditconfig -setpolicy +arge

      The exec_env token records the command environment:

      header,1460,2,AUE_EXECVE,,mach1,2010-10-14 12:29:39.679 -07:00
      subject,jdoe,root,root,root,root,2502,50036632,82 0 mach1