If your goal is to log file writes against a limited number of files, such as /etc/passwd and the files in the /etc/default directory, you can use the auditreduce command to locate the files.
Before You Begin
The root role can perform every task in this procedure.
If administrative rights are distributed in your organization, note the following:
An administrator with the Audit Configuration rights profile can run the auditconfig command.
An administrator with the Audit Review rights profile can run the auditreduce command.
Only the root role can assign audit flags.
For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
Audit the fw class.
Adding the fw class to the audit flags of a user or role generates fewer records than adding this class to the system-wide audit preselection mask. Perform one of the following steps:
Add the fw class to specific roles.
# rolemod -K audit_flags=fw:no root # rolemod -K audit_flags=fw:no sysadm # rolemod -K audit_flags=fw:no auditadm # rolemod -K audit_flags=fw:no netadm
Add the fw class to the system-wide flags.
# auditconfig -getflags active user default audit flags = lo(0x1000,0x1000) configured user default audit flags = lo(0x1000,0x1000) # auditconfig -setflags lo,fw user default audit flags = lo,fw(0x1002,0x1002)
# rolemod -K audit_flags=fw:no root # rolemod -K audit_flags=fw:no sysadm # rolemod -K audit_flags=fw:no auditadm # rolemod -K audit_flags=fw:no netadm
Audit successful file-writes.
Auditing successes generates fewer records than auditing failures and successes. Perform the following steps:
Add the +fw flag to specific roles.
# rolemod -K audit_flags=+fw:no root # rolemod -K audit_flags=+fw:no sysadm # rolemod -K audit_flags=+fw:no auditadm # rolemod -K audit_flags=+fw:no netadm
# auditreduce -o file=/etc/passwd,/etc/default -O filechg
The auditreduce command searches the audit trail for all occurrences of the file argument. The command creates a binary file with the suffix filechg which contains all records that include the path of the files of interest. See the auditreduce(8) man page for the syntax of the –o file= pathname option.
# praudit *filechg