Go to main content

Managing Auditing in Oracle® Solaris 11.4

Exit Print View

Updated: February 2019
 
 

Example: Configuring Oracle Solaris Auditing

This section provides an example of how you configure and implement Oracle Solaris auditing. The example assumes you have distributed the rights to manage auditing to different administrators.

The example begins with the configuration of different attributes of the service according to specific needs and requirements. After configuration is completed, the audit service is started to implement the configuration settings. Each time that you need to revise an existing audit configuration to accommodate new requirements, follow the same sequence of actions in this example.

  1. Configure the audit parameters.

  2. Refresh the audit service.

  3. Verify the new audit configuration.

  • Add a temporary policy.

    $ auditconfig -t -setpolicy +zonename
    $ auditconfig -getpolicy
    configured audit policies = ahlt,arge,argv,perzone
    active audit policies = ahlt,arge,argv,perzone,zonename
  • Specify the plugin attributes.

    • For the audit_binfile plugin, remove the qsize value.

      $ auditconfig -getplugin audit_binfile
      Plugin: audit_binfile
      Attributes: p_dir=/audit/sys1.1,/var/audit;
      p_minfree=2;p_fsize=4G;
      Queue size: 200
      $ auditconfig -setplugin audit_binfile  "" 0
      $ auditconfig -getplugin audit_binfile
      Plugin: audit_binfile
      Attributes: p_dir=/audit/sys1.1,/var/audit
      p_minfree=2;p_fsize=4G;
    • For the audit_syslog plugin, specify that the successful login and logout events and failed executables be sent to syslog. The qsize for this plugin is set to 150.

      $ auditconfig -setplugin audit_syslog active p_flags=+lo,-ex 150
      $ auditconfig -getplugin audit_syslog
      auditconfig -getplugin audit_syslog
      Plugin: audit_syslog
      Attributes: p_flags=+lo,-ex;
      Queue size: 150
    • Do not configure or use the audit_remote plugin.

  • Refresh the audit service and verify the configuration.

    • The temporary zonename policy is no longer set.

      $ audit -s
      $ auditconfig -getpolicy
      configured audit policies = ahlt,arge,argv,perzone
      active audit policies = ahlt,arge,argv,perzone
    • The audit_binfile plugin does not have a specified queue size. The audit_syslog plugin has a specified queue size.

      $ auditconfig -getplugin
      Plugin: audit_binfile
      Attributes: p_dir=/var/audit;p_fsize=4G;p_minfree=2;
      
      Plugin: audit_syslog
      Attributes: p_flags=+lo,-ex;
      Queue size: 150
      ...