Audit Records Are No Longer Generated for Logical Domains Manager Actions by Default

Language:

The Logical Domains Manager uses the Oracle Solaris OS auditing feature to examine the history of actions and events that have occurred on your control domain. The history is kept in a log that tracks what was done, when it was done, by whom, and what was affected. Starting with the Oracle VM Server for SPARC 3.2.0.1 maintenance update release, audit records are not generated for Logical Domains Manager actions by default.

You can enable and disable the Oracle Solaris OS auditing feature based on the version of the Oracle Solaris OS that runs on your system, as follows:

Oracle Solaris 10 OS: Use the bsmconv and bsmunconv commands. See the bsmconv(1M) and bsmunconv(1M) man pages, and Part VII, Auditing in Oracle Solaris, in System Administration Guide: Security Services .
Oracle Solaris 11 OS: Use the audit command. See the audit(1M) man page and Part VII, Auditing in Oracle Solaris, in Oracle Solaris 11.1 Administration: Security Services .

How to Enable Auditing

You must configure and enable the Oracle Solaris auditing feature on your system. Oracle Solaris 11 auditing is enabled by default, but you must still perform some configuration steps.

Note - Pre-existing processes are not audited for the virtualization software (vs) class. Ensure that you perform this step before regular users log in to the system.

Add customizations to the /etc/security/audit_event and /etc/security/audit_class files.
These customizations are preserved across Oracle Solaris upgrades, but should be re-added after a fresh Oracle Solaris installation.
1. Add the following entry to the audit_event file if not already present:
```
40700:AUE_ldoms:ldoms administration:vs
```
2. Add the following entry to the audit_class file if not already present:
```
0x10000000:vs:virtualization_software
```
(Oracle Solaris 10) Add the vs class to the /etc/security/audit_control file.
The following example /etc/security/audit_control fragment shows how you might specify the vs class:
```
dir:/var/audit
flags:lo,vs
minfree:20
naflags:lo,na
```
(Oracle Solaris 10) Enable the auditing feature.
1. Run the bsmconv command.
```
# /etc/security/bsmconv
```
2. Reboot the system.
(Oracle Solaris 11) Preselect the vs audit class.
1. Determine which auditing classes are already selected.
  Ensure that any audit classes that have already been selected are part of the updated set of classes. The following example shows that the lo class is already selected:
```
# auditconfig -getflags
active user default audit flags = lo(0x1000,0x1000)
configured user default audit flags = lo(0x1000,0x1000)
```
2. Add the vs auditing class.
```
# auditconfig -setflags [class],vs
```
  class is zero or more audit classes, separated by commas. You can see the list of audit classes in the /etc/security/audit_class file. Be sure to include the vs class on your Oracle VM Server for SPARC system.
  
  For example, the following command selects both the lo and vs classes:
```
# auditconfig -setflags lo,vs
```
3. (Optional) Log out of the system if you want to audit your processes, either as the administrator or as the configurer.
  If you do not want to log out, see How to Update the Preselection Mask of Logged In Users in Oracle Solaris 11.1 Administration: Security Services .
Verify that the auditing software is running.
```
# auditconfig -getcond
```
If the auditing software is running, audit condition = auditing appears in the output.
Configure Logical Domains Manager to generate audit records.
1. Set the ldmd/audit SMF property value to true.
```
# svccfg -s ldmd setprop ldmd/audit = boolean: true
```
2. Refresh the ldmd service.
```
# svcadm refresh ldmd
```
3. Restart the ldmd service.
```
# svcadm restart ldmd
```