Go to main content

Managing Auditing in Oracle® Solaris 11.4

Exit Print View

Updated: February 2019
 
 

New Feature – Annotating Reason for Access in the Audit Record

In Oracle Solaris 11.4, system administrators can configure and track annotations in audit records, annotations that explain why actions were performed in the system.

    Administrators can configure users and roles to provide annotations when:

  • Logging into a system

  • Assuming a particular role

  • Executing a rights profile, including authenticated rights profiles

Annotations should explain the reason for activity performed on a system. For example, a user might, during login, provide an annotation that states "Fix Ticket 134567". This annotation is recorded in each audit record associated with that particular authentication.


Note -  Annotation is sometimes referred to as Session Annotation.

Configuring Annotation

Annotation may be configured for specific users and roles, or for all users on a system. To configure annotations, an administrator must be granted the User Security rights profile.

Configuring Annotation for Specific Users

To configure annotation for specific users or roles, administrators use the new annotation extended user attribute in the Oracle Solaris rights model.

Table 3  Annotation Attribute Added to Rights Model
Description
Annotation
Rights Man Page
Manage users and roles interactively
Supports –K annotation= option for CLI, also supports Session annotation options in interactive menu
Annotate per user
Supports –K annotation= option
Annotate per a role
Supports –K annotation= option
Annotation described in extended user attributes database
Includes key value pair for annotation
Annotate per rights profiles
annotation value can be set. Annotation can be used for authenticated rights profiles.

The annotation values can be set to yes, no, or optional. The default value is no.

For further information, see Chapter 3, Assigning Rights in Oracle Solaris in Securing Users and Processes in Oracle Solaris 11.4.

Example 13  Adding an Annotation Requirement

The following command modifies a user, bob, adding a requirement for annotation:

$ pfexec usermod -K annotation=yes bob

Given the new requirement, the user logins as follows:

login: bob
Password:*******
Session Annotation: Customer Ticket 134567

The annotation, Customer Ticket 134567, is associated with all audited actions performed during that session and is included in those audit records.

If you changed annotation=yes to annotation=optional in this example, the user would be prompted but not required to annotate their login.

Configuring Annotation for All Users

Administrators can configure annotation for all authentication actions in an Oracle Solaris instance by adding a key value pair, annotation=yes/no/optional, in the policy.conf file. This default applies to all users who were not configured with an explicit annotation extended attribute. See the policy.conf(5) man page and policy.conf File in Securing Users and Processes in Oracle Solaris 11.4.

PAM Supports Annotation of Logins

The pluggable authentication module (PAM) supports annotation customization on a per-service basis by providing options to the pam_unix_cred service module. This module allows administrators to customize or suppress the default Session Annotation: prompt. See the pam_unix_cred(7) man page and Managing Authentication in Oracle Solaris 11.4.

Tracking Annotations in an Audit Trail

Auditing includes a new annotation token. When a user provides annotation entries, that annotation is included in audit records for any auditable actions that the user or role performed during that session. See the annotation token definition in the audit.log(5) man page.

For example, the following audit record includes an annotation.

header,116,2,su,,system1,2016-02-05 11:41:36.100-08:00
    subject,jand,up,staff,up,staff,101736,2438860677,61323 22 lethe
    return,success,0
    annotation,Customer Ticket 134567
    zone,global

Using the –o annotation=text option to the auditreduce command, administrators can select only those records that include specified annotation text. The text can be a regular expression. For information about regular expressions, see the regex(7) man page.

Example 14  Filtering Audit Records for Annotations

The following command filters the audit records for any records that contain an annotation.

$ pfbash ; cd /var/audit/audit_summary
$ auditreduce -o annotation='[.]*'

This example uses a regular expression, '[.]*', that searches for any entries. Alternately, you could filter for any records that includes a specific annotation such as "Ticket 134567".

$ cd /var/audit/audit_summary
$ auditreduce -o annotation="Ticket 134567"

See the auditreduce(8) man page and Selecting Audit Events to Be Displayed.