Go to main content

Managing Auditing in Oracle® Solaris 11.4

Exit Print View

Updated: February 2019
 
 

Preparing to Stream Audit Records to Remote Storage

The audit_remote plugin sends the binary audit trail to an ARS in the same format as the audit_binfile plugin writes to the local audit files. The audit_remote plugin uses the libgss library to authenticate the ARS, and a GSS-API mechanism to protect the transmission with privacy and integrity. For reference, see How the Kerberos Service Works in Managing Kerberos in Oracle Solaris 11.4.

The only currently supported GSS-API mechanism is kerberosv5. For more information, see the mech(5) man page.

How to Prepare to Stream Audit Records to Remote Storage


Note -  If you have a Kerberos realm configured with an identified Audit Remote Server (ARS) and all audited systems within the realm, you can skip this procedure. The steps to configure the ARS and the audited systems are covered in How to Configure a Remote Repository for Audit Files and How to Send Audit Files to a Remote Repository.

To verify whether a Kerberos realm is configured, issue the following command. The sample output indicates that Kerberos is not installed on the system.

$ pkg info kerberos-5/kdc
pkg: info: no packages matching these patterns are installed on the system.

Before You Begin

This procedure assumes that you are using the audit_remote plugin. Also, you must be assigned the Software Installation rights profile. By default, the root role has this profile.

  1. Install the master KDC (Key Distribution Center) package.

    You can use the system that will serve as the ARS, or you can use a nearby system. The ARS sends a significant amount of authentication traffic to the master KDC.

    $ pfexec pkg install pkg://solaris/security/kerberos-5/kdc

    On the master KDC, you use the Kerberos kdcmgr and kadmin commands to manage the realm. For more information, see the kdcmgr(8) and kadmind(8) man pages.

  2. On every audited system that will send audit records to the ARS, install the master KDC package.
    $ pfexec pkg install pkg://solaris/security/kerberos-5/kdc

    This package includes the kclient command. On these systems, you run the kclient command to connect with the KDC. For more information, see the kclient(8) man page.

  3. Synchronize the clocks in the KDC realm.

    If the clock skew is too big between the audited systems and the ARS, the attempt at connection will fail. After a connection is established, the local time on the ARS determines the names of the stored audit files, as described in Conventions for Binary Audit File Names.

    For more information about the clocks, see Ensuring Reliable Time Stamps.