Go to main content

Managing Auditing in Oracle® Solaris 11.3

Exit Print View

Updated: December 2018
 
 

How to Find Audit Records of Changes to Specific Files

If your goal is to log file writes against a limited number of files, such as /etc/passwd and the files in the /etc/default directory, you can use the auditreduce command to locate the files.

Before You Begin

The root role can perform every task in this procedure.

    If administrative rights are distributed in your organization, note the following:

  • An administrator with the Audit Configuration rights profile can run the auditconfig command.

  • An administrator with the Audit Review rights profile can run the auditreduce command.

  • Only the root role can assign audit flags.

For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. Perform one of the following steps to audit file changes.
    • Audit the fw class.

      Adding the fw class to the audit flags of a user or role generates fewer records than adding this class to the system-wide audit preselection mask. Perform one of the following steps:

      • Add the fw class to specific roles.

        # rolemod -K audit_flags=fw:no root
        # rolemod -K audit_flags=fw:no sysadm
        # rolemod -K audit_flags=fw:no auditadm
        # rolemod -K audit_flags=fw:no netadm
        
      • Add the fw class to the system-wide flags.

        # auditconfig -getflags
        active user default audit flags = lo(0x1000,0x1000)
        configured user default audit flags = lo(0x1000,0x1000)
        
        # auditconfig -setflags lo,fw
        user default audit flags = lo,fw(0x1002,0x1002)
    • Audit successful file-writes.

      Auditing successes generates fewer records than auditing failures and successes. Perform one of the following steps:

      • Add the +fw flag to specific roles.

        # rolemod -K audit_flags=+fw:no root
        # rolemod -K audit_flags=+fw:no sysadm
        # rolemod -K audit_flags=+fw:no auditadm
        # rolemod -K audit_flags=+fw:no netadm
        
      • Add the +fw flag to the system-wide flags.

        # auditconfig -getflags
        active user default audit flags = lo(0x1000,0x1000)
        configured user default audit flags = lo(0x1000,0x1000)
        
        # auditconfig -setflags lo,+fw
        user default audit flags = lo,+fw(0x1002,0x1000)
  2. Obtain the audit records for specific files with the auditreduce command.
    # auditreduce -o file=/etc/passwd,/etc/default -O filechg
    

    The auditreduce command searches the audit trail for all occurrences of the file argument. The command creates a binary file with the suffix filechg which contains all records that include the path of the files of interest. See the auditreduce(1M) man page for the syntax of the –o file= pathname option.

  3. Read the filechg file with the praudit command.
    # praudit *filechg