In Oracle Solaris 11.4, system administrators can configure and track annotations in audit records, annotations that explain why actions were performed in the system.
Administrators can configure users and roles to provide annotations when:
Logging into a system
Assuming a particular role
Executing a rights profile, including authenticated rights profiles
Annotations should explain the reason for activity performed on a system. For example, a user might, during login, provide an annotation that states "Fix Ticket 134567". This annotation is recorded in each audit record associated with that particular authentication.
Annotation may be configured for specific users and roles, or for all users on a system. To configure annotations, an administrator must be granted the User Security rights profile.
To configure annotation for specific users or roles, administrators use the new annotation extended user attribute in the Oracle Solaris rights model.
|
The annotation values can be set to yes, no, or optional. The default value is no.
For further information, see Chapter 3, Assigning Rights in Oracle Solaris in Securing Users and Processes in Oracle Solaris 11.4.
Example 13 Adding an Annotation RequirementThe following command modifies a user, bob, adding a requirement for annotation:
$ pfexec usermod -K annotation=yes bob
Given the new requirement, the user logins as follows:
login: bob Password:******* Session Annotation: Customer Ticket 134567
The annotation, Customer Ticket 134567, is associated with all audited actions performed during that session and is included in those audit records.
If you changed annotation=yes to annotation=optional in this example, the user would be prompted but not required to annotate their login.
Administrators can configure annotation for all authentication actions in an Oracle Solaris instance by adding a key value pair, annotation=yes/no/optional, in the policy.conf file. This default applies to all users who were not configured with an explicit annotation extended attribute. See the policy.conf(5) man page and policy.conf File in Securing Users and Processes in Oracle Solaris 11.4.
The pluggable authentication module (PAM) supports annotation customization on a per-service basis by providing options to the pam_unix_cred service module. This module allows administrators to customize or suppress the default Session Annotation: prompt. See the pam_unix_cred(7) man page and Managing Authentication in Oracle Solaris 11.4.
Auditing includes a new annotation token. When a user provides annotation entries, that annotation is included in audit records for any auditable actions that the user or role performed during that session. See the annotation token definition in the audit.log(5) man page.
For example, the following audit record includes an annotation.
header,116,2,su,,system1,2016-02-05 11:41:36.100-08:00 subject,jand,up,staff,up,staff,101736,2438860677,61323 22 lethe return,success,0 annotation,Customer Ticket 134567 zone,global
Using the –o annotation=text option to the auditreduce command, administrators can select only those records that include specified annotation text. The text can be a regular expression. For information about regular expressions, see the regex(7) man page.
Example 14 Filtering Audit Records for AnnotationsThe following command filters the audit records for any records that contain an annotation.
$ pfbash ; cd /var/audit/audit_summary $ auditreduce -o annotation='[.]*'
This example uses a regular expression, '[.]*', that searches for any entries. Alternately, you could filter for any records that includes a specific annotation such as "Ticket 134567".
$ cd /var/audit/audit_summary $ auditreduce -o annotation="Ticket 134567"
See the auditreduce(8) man page and Selecting Audit Events to Be Displayed.