The tasks described in the following table maintain and monitor access and use of your system and data, and adherence to your site's security requirements.
|
Maintaining a valid and secured IPS repository is essential for package installation. For secure repository creation and maintenance, follow Best Practices for Creating and Using Local IPS Package Repositories in Copying and Creating Package Repositories in Oracle Solaris 11.3. The practices include the following:
Ensuring that you are verifying signatures on signed packages
Verifying that the files in the repository pass a series of checks, including that packages are signed correctly
Verifying access to the repository
For repository configuration and maintenance procedures, see Copying and Creating Package Repositories in Oracle Solaris 11.3. For verifying package installation, see How to Verify Your Packages.
Auditing keeps a record of how the system is being used. The audit service includes tools to assist with the analysis of the auditing data.
The audit service is described in Managing Auditing in Oracle Solaris 11.3. For a list of the man pages and links to them, see Audit Service Man Pages in Managing Auditing in Oracle Solaris 11.3.
The following audit service procedures are useful in many secure environments:
Create separate roles to configure auditing, review auditing, and start and stop the audit service. Assign the roles to trusted users.
Use the Audit Configuration, Audit Review, and Audit Control rights profiles as the basis for your roles.
To create roles or use the predefined ARMOR roles, see Assigning Rights to Users in Securing Users and Processes in Oracle Solaris 11.3.
Audit all administrators with the cusa audit class.
Events in the cusa audit class cover administrative actions that affect the system's security posture. For a description, see the /etc/security/audit_class file. For the procedure, see How to Audit Significant Events in Addition to Login/Logout.
Send audit records to a central server.
Configure auditing to work with the Audit Remote Server (ARS).
The audit service can use the Oracle Audit Vault to store, review, and analyze audit records. See Using Oracle Audit Vault and Database Firewall for Storage and Analysis of Audit Records in Managing Auditing in Oracle Solaris 11.3 and How to Send Audit Files to a Remote Repository in Managing Auditing in Oracle Solaris 11.3.
Schedule the secure transfer of complete audit files to an audit review file system on a separate ZFS pool.
Monitor text summaries of selected audited events in the syslog utility
Activate the audit_syslog plugin, then monitor the reported events.
See How to Configure syslog Audit Logs in Managing Auditing in Oracle Solaris 11.3.
Limit the size of audit files.
Set the p_fsize attribute for the audit_binfile plugin to a useful size. Consider your reviewing schedule, disk space, and cron job frequency, among other factors.
For examples, see How to Assign Audit Space for the Audit Trail in Managing Auditing in Oracle Solaris 11.3.
Schedule the secure transfer of complete audit files to an audit review file system on a separate ZFS pool.
Review complete audit files on the audit review file system.
The audit_syslog plugin enables you to record summaries of preselected audit events. To display the audit summaries in a terminal window as they are generated, run a command similar to the following:
# tail -0f /var/adm/auditlog
To configure the audit log, see How to Configure syslog Audit Logs in Managing Auditing in Oracle Solaris 11.3.
Audit records can be viewed in text format or in a browser in XML format.
For information and procedures see the following:
Preventing Audit Trail Overflow in Managing Auditing in Oracle Solaris 11.3
Displaying Audit Trail Data in Managing Auditing in Oracle Solaris 11.3