Go to main content

Managing Auditing in Oracle® Solaris 11.3

Exit Print View

Updated: October 2017
 
 

How to Configure a User's Audit Characteristics

The user-specific audit characteristics that you set with this procedure are combined with the preselected classes for the system. Together they determine the user's audit mask, as described in Process Audit Characteristics.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. (Optional) Display the audit classes that are currently selected for existing users.
    1. Display the list of users.
      # who
      adoe    pts/1        Oct 10 10:20	(:0.0)
      adoe    pts/2        Oct 10 10:20	(:0.0)
      jdoe    pts/5        Oct 12 12:20	(:0.0)
      jdoe    pts/6        Oct 12 12:20	(:0.0)
      ...
      
    2. Display each user's audit_flags attribute value.
      # userattr audit_flags adoe
      # userattr audit_flags jdoe
  2. Set the audit flags in the user_attr or in the prof_attr database.

    For example, you can create a rights profile that defines the rights of a subset of your users. Users who are assigned that rights profile are audited identically.

    • To set audit flags for a user, use the usermod command.
      # usermod -K audit_flags=fw:no jdoe

      The format of the audit_flags keyword is always-audit:never-audit.

      always-audit

      Lists the audit classes that are audited for this user.

      never-audit

      Lists the audit classes that are never audited for the user, even if these audit events are audited system-wide.

      To specify multiple audit classes, separate the classes with commas. For more information, see the audit_flags(5) man page.

    • To set audit flags for a rights profile, use the profiles command.
      # profiles -p "System Administrator"
      profiles:System Administrator> set name="Audited System Administrator"
      profiles:Audited System Administrator> set always_audit=fw,as
      profiles:Audited System Administrator> end
      profiles:Audited System Administrator> exit

      When you assign the Audited System Administrator rights profile to a user or a role, that user or role is audited for those flags, subject to search order as described in Order of Search for Assigned Rights in Securing Users and Processes in Oracle Solaris 11.3.

Example 5  Changing Which Events Are Audited for One User

This example shows the audit preselection mask for all users.

# auditconfig -getflags
active user default audit flags = ss,lo(0x11000,0x11000)
configured user default audit flags = ss,lo(0x11000,0x11000)

No user except the administrator is logged in.

To lessen the impact of the AUE_PFEXEC audit event on system resources, the administrator does not audit this event at the system level. Rather, the administrator preselects the pf class for a user, jdoe. The pf class is created in Example 15, Creating a New Audit Class.

# usermod -K audit_flags=pf:no jdoe

The userattr command shows the addition.

# userattr audit_flags jdoe
pf:no

When the user jdoe logs in, jdoe's audit preselection mask is a combination of the audit_flags values with the system default values. 289 is the PID of jdoe's login shell.

# auditconfig -getpinfo 289
audit id = jdoe(1234)
process preselection mask = ss,pf,lo(0x0100000008011000,0x0100000008011000)
terminal id (maj,min,host) = 242,511,example1(192.0.2.171)
audit session id = 103203403
Example 6  Modifying Audit Preselection Exception for One User

This example shows the audit preselection mask for all users.

# auditconfig -getflags
active user default audit flags = ss,lo(0x11000,0x11000)
configured user default audit flags = ss,lo(0x11000,0x11000)

No users except the administrator are logged in.

The administrator decides not to collect failed ss events for the jdoe user.

# usermod -K audit_flags=^-ss:no jdoe

The userattr command shows the exception.

# userattr audit_flags jdoe
^-ss:no

When the user jdoe logs in, jdoe's audit preselection mask is a combination of the audit_flags values with the system default values. 289 is the PID of jdoe's login shell.

# auditconfig -getpinfo 289
audit id = jdoe(1234)
process preselection mask = +ss,lo(0x11000,0x1000)
terminal id (maj,min,host) = 242,511,example1(192.0.2.171)
audit session id = 103203403
Example 7  Auditing Selected Users, No System-Wide Auditing

In this example, the login and role activities of four selected users are audited on the system. No audit classes are preselected for the system.

First, the administrator removes all system-wide flags.

# auditconfig -setflags no
user default audit flags = no(0x0,0x0)

Then, the administrator preselects two audit classes for the four users. The pf class is created in Example 15, Creating a New Audit Class.

# usermod -K audit_flags=lo,pf:no jdoe
# usermod -K audit_flags=lo,pf:no kdoe
# usermod -K audit_flags=lo,pf:no pdoe
# usermod -K audit_flags=lo,pf:no zdoe

Then, the administrator preselects the pf class for the root role.

# userattr audit_flags root
# rolemod -K audit_flags=lo,pf:no root
# userattr audit_flags root
lo,pf:no

To continue to record unwarranted intrusion, the administrator does not change the auditing of non-attributable logins.

# auditconfig -getnaflags
active non-attributable audit flags = lo(0x1000,0x1000)
configured non-attributable audit flags = lo(0x1000,0x1000)
Example 8  Removing a User's Audit Flags

In the following example, the administrator removes all user-specific audit flags. Existing processes of users who are currently logged in continue to be audited.

The administrator runs the usermod command with the audit_flags keyword set to no value.

# usermod -K audit_flags= jdoe
# usermod -K audit_flags= kdoe
# usermod -K audit_flags= ldoe

Then, the administrator verifies the removal.

# userattr audit_flags jdoe
# userattr audit_flags kdoe
# userattr audit_flags ldoe
Example 9  Creating a Rights Profile for a Group of Users

The administrator wants all administrative rights profiles at the site to explicitly audit the pf class. For every rights profile that is going to be assigned, the administrator creates a site-specific version in LDAP that includes audit flags.

First, the administrator clones an existing rights profile, then changes the name and adds audit flags.

# profiles -p "Network Wifi Management" -S ldap
profiles: Network Wifi Management> set name="Wifi Management"
profiles: Wifi Management> set desc="Audited wifi management"
profiles: Wifi Management> set audit_always=pf
profiles: Wifi Management> exit

After repeating this procedure for every rights profile that is going to be used, the administrator lists the information in the Wifi Management profile.

# profiles -p "Wifi Management" -S ldap info
name=Wifi Management
desc=Audited wifi management
auths=solaris.network.wifi.config
help=RtNetWifiMngmnt.html
always_audit=pf