Managing Auditing in Oracle^® Solaris 11.4

How to Audit All Commands by Users

As part of site security policy, some sites require audit records of all commands that are run by the root account and administrative roles. Some sites can require audit records of all commands by all users. Additionally, sites can require that the command arguments and environment be recorded.

Before You Begin

To preselect audit classes and set audit policy, you must become an administrator who is assigned the Audit Configuration rights profile. By default, the root role has these rights. Only the root role can change how users are audited.

1. Display user level event information for lo and ex classes.

   The ex class audits all calls to the exec() and execve() functions.

   The lo class audits logins, logouts, and screen locks. The following sample output lists the events in the ex and lo classes.

   $ auditconfig -lsevent | egrep " lo |,lo|lo,"
   AUE_login                       6152 lo login - local
   AUE_logout                      6153 lo logout
   AUE_telnet                      6154 lo login - telnet
   AUE_rlogin                      6155 lo login - rlogin
   AUE_rshd                        6158 lo rsh access
   AUE_su                          6159 lo su
   ...
   
   
   $ auditconfig -lsevent | egrep " ex |,ex |ex,"
   AUE_EXECVE                        23 ex,ps execve(2)
   AUE_PFEXEC                        116, ex,ps,ua,as execve(2) with pfexec enabled

2. Audit the cusa class for administrators.
   • To audit these classes for administrative roles, modify the roles' security attributes.

     In the following example, root is a role. The site has created three roles, sysadm, auditadm, and netadm. All roles are audited for the success and failure of events in the cusa class.

     # rolemod -K audit_flags=cusa:no root
     
     # rolemod -K audit_flags=cusa:no sysadm
     
     # rolemod -K audit_flags=cusa:no auditadm
     
     # rolemod -K audit_flags=cusa:no netadm

   • To audit these classes for all users, set the system-wide flags.

     # auditconfig -setflags lo,ex

     The output appears similar to the following:

     header,129,2,AUE_EXECVE,,mach1,2010-10-14 12:17:12.616 -07:00
     path,/usr/bin/ls
     attribute,100555,root,bin,21,320271,18446744073709551615
     subject,jdoe,root,root,root,root,2486,50036632,82 0 mach1
     return,success,0

3. Specify additional information to be recorded about command use.
   • To record the arguments to commands, add the argv policy.

     $ pfbash ; auditconfig -setpolicy +argv

     The exec_args token records the command arguments. The following example wraps the lines for display purposes.

     header,151,2,AUE_EXECVE,,mach1,2010-10-14 12:26:17.373 -07:00
     path,/usr/bin/ls
     attribute,100555,root,bin,21,320271,18446744073709551615
     exec_args
     ,2,ls,/etc/security
     subject,jdoe,root,root,root,root,2494,50036632,82 0 mach1
     return,success,0

   • To record the environment in which the command is run, add the arge policy.

     $ auditconfig -setpolicy +arge

     The exec_env token records the command environment. The following example wraps lines for display purposes.

     header,1460,2,AUE_EXECVE,,mach1,2010-10-14 12:29:39.679 -07:00
     path,/usr/bin/ls
     attribute,100555,root,bin,21,320271,18446744073709551615
     exec_args,2,ls,/etc/security
     exec_env
     ,49,MANPATH=/usr/share/man,USER=jdoe,GDM_KEYBOARD_LAYOUT=us,EDITOR=gedit,
     LANG=en_US.UTF-8,GDM_LANG=en_US.UTF-8,PS1=#,GDMSESSION=gnome,SESSIONTYPE=1,SHLVL=2,
     HOME=/home/jdoe,LOGNAME=jdoe,G_FILENAME_ENCODING=@locale,UTF-8,
     PRINTER=example-dbl,...,_=/usr/bin/ls
     subject,jdoe,root,root,root,root,2502,50036632,82 0 mach1
     return,success,0