Go to main content

Managing Auditing in Oracle® Solaris 11.4

Exit Print View

Updated: February 2019
 
 

How to Add an Audit Class

When you create your own audit class, you can place into it just those audit events that you want to audit for your site. This strategy can reduce the number of records that are collected and reduce noise in your audit trail.

When you add the class on one system, copy the change to all systems that are being audited. Best practice is to create audit classes before the first users log in.

For information about the effects of modifying an audit configuration file, see Audit Configuration Files and Packaging.


Tip  -  In Oracle Solaris you can create your own package that contains files and replace the Oracle Solaris packages with your site-customized files. When you set the preserve attribute to true in your package, the pkg subcommands, such as verify, fix, revert, and so on, will run relative to your packages. For more information, see the pkg(1) and pkg(7) man pages.

Before You Begin

The root role can perform every task in this procedure.

    If administrative rights are distributed in your organization, note the following:

  • An administrator who is assigned the solaris.admin.edit/etc/security/audit_class authorization can modify the file.

  • An administrator with the Audit Configuration rights profile can run the auditconfig command.

  • An administrator with the Service Configuration rights profile can run the svcadm command.

For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. (Optional) Save a backup copy of the audit_class file.
    $ cp /etc/security/audit_class /etc/security/audit_class.orig
  2. Choose free bits in the upper 8 bits for your unique entry.
  3. Verify which bits are available for customer use in the /etc/security/audit_class file.
  4. Add new entries to the audit_class file.

    Each entry has the following format:

    0x64bitnumber:flag:description

    For a description of the fields, see the audit_class(5) man page. For the list of existing classes, read the /etc/security/audit_class file.

  5. Refresh the audit service and update the runtime mappings.
    $ pfbash ; svcadm refresh svc:/system/auditset:default
    $ auditconfig -conf

    The first command refreshes the audit service. The second command changes the runtime class mappings to match those in the audit event to class database file.

Example 11  Creating a New Audit Class

This example creates a class to hold administrative commands that are executed in a role. The added entry to the audit_class file is as follows:

0x0100000000000000:pf:profile command

The entry creates the new pf audit class. Example 12, Mapping Existing Audit Events to a New Class shows how to populate the new audit class.

Troubleshooting

If you have customized the audit_class file, make sure that any audit flags that are assigned directly to users or rights profiles are consistent with the new audit classes. Errors occur when an audit_flags value is not a subset of the audit_class file.