Go to main content

Securing Files and Verifying File Integrity in Oracle® Solaris 11.4

Exit Print View

Updated: August 2018

How to Create a Labeled Audit Trail

You create a file system at the highest label, ADMIN_HIGH, for the audit trail. All audit events, labeled and not labeled, are then recorded and stored at that label.

Before You Begin

You must be in the root role.

  1. Create a file system at ADMIN_HIGH for the audit files.
    # zfs create -o multilevel=on -o encryption=on rpool/VARSHARE/audit_high
    # setlabel ADMIN_HIGH /var/audit_high
  2. Add the audit_high directory to the list of audit_binfile plugins.
    # auditconfig -setplugin audit_binfile active "p_dir=/var/audit_high"
  3. Run the auditing process at that label.
    # svccfg -s auditd 
    > setprop start/clearance = astring: ADMIN_HIGH
    > exit
  4. Read the audit service changes into the kernel and restart the service.
    # audit -t
    # audit -s
  5. Create a Labeled Audit Review rights profile and assign it to the users who review audit records.
    1. Use the Audit Review profile as the template.
      # profiles -p "Audit Review"
      profiles:Audit Review> set name="Labeled Audit Review"
      profiles:Labeled Audit Review> set desc="Review Labeled Audit Trail"
      profiles:Labeled Audit Review> select cmd=/usr/sbin/auditreduce
      profiles:Labeled Audit Review:auditreduce> set clearance="ADMIN_HIGH"
      profiles:Labeled Audit Review:auditreduce> end
      profiles:Labeled Audit Review> select cmd=/usr/sbin/praudit
      profiles:Labeled Audit Review:praudit> set clearance="ADMIN_HIGH"
      profiles:Labeled Audit Review:praudit> end
      profiles:Labeled Audit Review> commit
      profiles:Labeled Audit Review> exit

      The Labeled Audit Review profile inherits the existing security attributes of the selected commands. The commands retain their assigned privileges and EUIDs.

    2. Verify that the commands are running at the ADMIN_HIGH clearance and retain any security attributes from the original rights profile.
      # profiles -p "Labeled Audit Review" "select cmd=/usr/sbin/auditreduce ; info; end;"
    3. Assign the rights profile to users who can review the audit trail by typing one of the following commands:
      # usermod -K profiles+="Labeled Audit Review" user-who-reviews-audit-trail
      # usermod -K auth_profiles+="Labeled Audit Review" user-who-reviews-audit-trail

      The commands in the Labeled Audit Review rights profile will run at the ADMIN_HIGH label when the user runs the commands in a profile shell, as in pfexec praudit. The clearance of the assigned user does not change but the command processes run at the label specified in the profile.