Go to main content

Securing Users and Processes in Oracle® Solaris 11.4

Exit Print View

Updated: November 2020

Auditing Administrative Actions

Site security policy often requires that you audit administrative actions. The 116:AUE_PFEXEC:execve(2) with pfexec enabled:ps,ex,ua,as audit event captures these actions. The cusa metaclass, which provides a group of events that is appropriate for use with roles, is another option when auditing administrative actions. For more information, review the comments in the /etc/security/audit_class file.

Example 48  Using Two Roles to Configure Auditing

In this example, two administrators implement the audit configuration plan of their site security officer. The plan is to use the pf class for all users, and specify the cusa metaclass for individual roles. The root role will assign the audit flags to the roles. The first administrator configures auditing and the second enables the new configuration.

The first administrator is assigned the Audit Configuration rights profile. This administrator views the current audit configuration:

# auditconfig -getflags
active user default audit flags = lo(0x1000,0x1000)
configured user default audit flags = lo(0x1000,0x1000)

Because the pf class does not include the lo class, the administrator adds the class to the system configuration.

# auditconfig -setflags lo,pf

To read the new audit configuration into the kernel, the administrator who is assigned the Audit Control rights profile refreshes the audit service.

# audit -s