As part of site security policy, some sites require audit records of all commands that are run by the root account and administrative roles. Some sites can require audit records of all commands by all users. Additionally, sites can require that the command arguments and environment be recorded.
Before You Begin
To preselect audit classes and set audit policy, you must become an administrator who is assigned the Audit Configuration rights profile. To assign audit flags to users, roles, and rights profiles, you must have the solaris.audit.assign authorization which is included in the Rights Delegation profile. The role root has all authorizations.
The ex class audits all calls to the exec() and execve() functions.
The lo class audits logins, logouts, and screen locks. The following sample output lists all the events in the ex and lo classes.
$ auditconfig -lsevent | egrep " lo |,lo|lo," AUE_login 6152 lo login - local AUE_logout 6153 lo logout AUE_telnet 6154 lo login - telnet AUE_rlogin 6155 lo login - rlogin AUE_rshd 6158 lo rsh access AUE_su 6159 lo su AUE_rexecd 6162 lo rexecd AUE_passwd 6163 lo passwd AUE_rexd 6164 lo rexd AUE_ftpd 6165 lo ftp access AUE_ftpd_logout 6171 lo ftp logout AUE_ssh 6172 lo login - ssh AUE_role_login 6173 lo role login AUE_rad_login 6174 lo connect to RAD AUE_newgrp_login 6212 lo newgrp login AUE_admin_authenticate 6213 lo admin login AUE_screenlock 6221 lo screenlock - lock AUE_screenunlock 6222 lo screenlock - unlock AUE_zlogin 6227 lo login - zlogin AUE_su_logout 6228 lo su logout AUE_role_logout 6229 lo role logout AUE_smbd_session 6244 lo smbd(1m) session setup AUE_smbd_logoff 6245 lo smbd(1m) session logoffAUE_sudo 6650 lo,as,ua sudo(1M) execution $ auditconfig -lsevent | egrep " ex |,ex |ex," AUE_EXECVE 23 ex,ps execve(2) AUE_PFEXEC 116, ex,ps,ua,as execve(2) with pfexec enabled
In the following example, root is a role. The site has created three roles, sysadm, auditadm, and netadm. All roles are audited for the success and failure of events in the cusa class.
# rolemod -K audit_flags=cusa:no root # rolemod -K audit_flags=cusa:no sysadm # rolemod -K audit_flags=cusa:no auditadm # rolemod -K audit_flags=cusa:no netadm
# auditconfig -setflags lo,ex
The output appears similar to the following:
header,129,2,AUE_EXECVE,,mach1,2010-10-14 12:17:12.616 -07:00 path,/usr/bin/ls attribute,100555,root,bin,21,320271,18446744073709551615 subject,jdoe,root,root,root,root,2486,50036632,82 0 mach1 return,success,0
# auditconfig -setpolicy +argv
The exec_args token records the command arguments. The following example wraps the lines for display purposes.
header,151,2,AUE_EXECVE,,mach1,2010-10-14 12:26:17.373 -07:00 path,/usr/bin/ls attribute,100555,root,bin,21,320271,18446744073709551615 exec_args ,2,ls,/etc/security subject,jdoe,root,root,root,root,2494,50036632,82 0 mach1 return,success,0
# auditconfig -setpolicy +arge
The exec_env token records the command environment. The following example wraps lines for display purposes.
header,1460,2,AUE_EXECVE,,mach1,2010-10-14 12:29:39.679 -07:00 path,/usr/bin/ls attribute,100555,root,bin,21,320271,18446744073709551615 exec_args,2,ls,/etc/security exec_env ,49,MANPATH=/usr/share/man,USER=jdoe,GDM_KEYBOARD_LAYOUT=us,EDITOR=gedit, LANG=en_US.UTF-8,GDM_LANG=en_US.UTF-8,PS1=#,GDMSESSION=gnome,SESSIONTYPE=1,SHLVL=2, HOME=/home/jdoe,LOGNAME=jdoe,G_FILENAME_ENCODING=@locale,UTF-8, PRINTER=example-dbl,...,_=/usr/bin/ls subject,jdoe,root,root,root,root,2502,50036632,82 0 mach1 return,success,0