Go to main content

Managing Auditing in Oracle® Solaris 11.4

Exit Print View

Updated: February 2019
 
 

How to Configure the audit_warn Email Alias

The /etc/security/audit_warn script generates mail to notify the administrator of audit incidents that might need attention. You can customize the script and you can send the mail to an account other than root.


Note -  If the perzone policy is set, the non-global zone administrator must configure the audit_warn email alias in the non-global zone.

Before You Begin

The root role can perform every task in this procedure.

    If administrative rights are distributed in your organization, note the following:

  • An administrator who is assigned the solaris.admin.edit/etc/security/audit_warn authorization can modify the alias.

  • An administrator with the Mail Management rights profile can run the newaliases command.

For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  • Replace or redirect the audit_warn alias:
    • Replace the audit_warn email alias in the ADDRESS line with another email account in the audit_warn script.

      For example:

      #ADDRESS=audit_warn            # standard alias for audit alerts
      ADDRESS=audadmin               # role alias for audit alerts

      Note -  For information about the effects of modifying an audit configuration file, see Audit Configuration Files and Packaging.
    • Redirect the audit_warn email to another mail account.
      1. You could add the alias to the local /etc/mail/aliases file or to the mail_aliases database in the name service.

        In the following sample /etc/mail/aliases entry, the root and audadmin email accounts were added as members of the audit_warn email alias.

        audit_warn: root,audadmin
      2. Rebuild the random access database for the aliases file.
        $ pfexec newaliases
        /etc/mail/aliases: 14 aliases, longest 10 bytes, 156 bytes total