Go to main content

Managing Auditing in Oracle® Solaris 11.3

Exit Print View

Updated: October 2017
 
 

Default Configuration of the Audit Service

The audit service has a default configuration and is immediately operational on the global zone after you install Oracle Solaris. No additional action is required to enable or configure the service to become usable. With its default configuration, the audit service records the following operations:

  • Login and logout operations

  • Use of the su command

  • Screen lock and screen unlock operations

Because the service's default configuration has no performance impact on the system, disabling the service on performance grounds is not required.

Provided that you have the appropriate audit-related rights, such as those in the Audit Review Rights profile, you can review the audit logs. The logs are stored in /var/audit. You view these files by using the praudit and auditreduce commands. For more information, see Displaying Audit Trail Data.

The subsequent sections in this chapter provide instructions for customizing the audit service configuration, if the default configuration is insufficient for your needs.

Displaying Audit Service Defaults

The audit service is regulated by the following parameters:

  • Classes of attributable and non-attributable events

  • Audit policy

  • Audit plugins

  • Queue controls

To display the audit service defaults, you typically use the auditconfig -get* subcommands. These subcommands display the current configuration of the parameter that is represented by the asterisk (*), such as –getflags –getpolicy, or –getqctrl. To display information about classes for non-attributable events, use the auditconfig -getnaflags subcommand.

For more information about the auditconfig command, see the auditconfig(1M) man page.


Note -  To display the audit service configuration, you must become an administrator who is assigned the Audit Configuration or Audit Control rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

The following examples show the appropriate command syntax to use to display the default audit configuration settings.

Example 1  Displaying the Default Class for Events

In this example, two subcommands display the preselected classes for attributable and non-attributable events respectively. To see which events are assigned to a class, and therefore which events are being recorded, run the auditrecord -c class command.

# auditconfig -getflags
active user default audit flags = lo(0x1000,0x1000)
configured user default audit flags = lo(0x1000,0x1000)

lo is the flag for the login/logout audit class. The format of the mask output is (success,failure).

# auditconfig -getnaflags
active non-attributable audit flags = lo(0x1000,0x1000)
configured non-attributable audit flags = lo(0x1000,0x1000)
Example 2  Displaying the Default Audit Policy
$ auditconfig -getpolicy
configured audit policies = cnt
active audit policies = cnt

The active policy is the current policy, but the policy value is not being stored by the audit service. The configured policy is stored by the audit service, so the policy is restored when you restart the audit service.

Example 3  Displaying the Default Audit Plugins
$ auditconfig -getplugin
Plugin: audit_binfile
Attributes: p_age=Oh;p_dir=/var/audit;p_fsize=4M;p_minfree=1;

Plugin: audit_syslog (inactive)
Attributes: p_flags=;

Plugin: audit_remote (inactive)
Attributes: p_hosts=;p_retries=3;p_timeout=5;

The audit_binfile plugin is active by default.

Example 4  Displaying the Audit Queue Controls
$ auditconfig -getqctrl
no configured audit queue hiwater mark
no configured audit queue lowater mark
no configured audit queue buffer size
no configured audit queue delay
active audit queue hiwater mark (records) = 100
active audit queue lowater mark (records) = 10
active audit queue buffer size (bytes) = 8192
active audit queue delay (ticks) = 20

The active queue control is the queue control that is currently used by the kernel. The string no configured indicates that the system is using the default values.

Enabling and Disabling the Audit Service

The audit service is enabled by default. If the perzone audit policy is set, zone administrators must enable, refresh, or disable the audit service in each non-global zone as desired. If the perzone audit policy is not set, enabling, refreshing, or disabling the audit service from the global zone is effective for all non-global zones.

To disable or enable the audit service, you must become an administrator who is assigned the Audit Control rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

To disable the audit service, use the following command:

# audit -t

To enable the audit service, use the following command:

# audit -s

To verify that the audit service is running, use the following command:

# auditconfig -getcond
audit condition = auditing

If the perzone audit policy is set, then you must perform this verification in the non-global zones where you enabled auditing.

For more information, see the audit(1M) and auditd(1M) man pages.