ars - receive Solaris audit logs from a remote server
Audit Remote Server (ARS) is the counterpart of the audit_remote(7) plugin. Data sent by the plugin can be captured, processed, and stored by the server according to the its configuration.
ARS is delivered as a disabled Solaris audit component. It is necessary to configure ARS before it can be used to process a remote audit trail. ARS configuration is twofold:
the underlying security mechanisms used for secure audit data transport has to be configured (see audit_remote(7));
the audit remote subsystem has to be configured.
To observe and configure the ARS, use the auditconfig(8) –setremote and –getremote options. The configuration is divided between the configuration of server and group. The server configuration allows for changing common ARS parameters, while the group keyword allows configuration of connection groups, the sets of hosts sharing the same local storage parameters.
The address the server listens on. An empty listen_address attribute defaults to listen on all local addresses.
The local listening port; 0 defaults to 16162, the port associated with the “solaris-audit” Internet service name. See services(5).
The server disconnects after login grace time (in seconds) if the connection has not been successfully established; 0 defaults to no limit.
The number of concurrent unauthenticated connections to the server at which the server starts refusing new connections. The value might be specified in begin: rate:full format to allow random early drop mode, for example 10:30:60, meaning that ARS would refuse connection attempts with a probability of rate/100 (30% in our example) if there are currently 10 (from the start field) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches full (60 in our example).
The binfile_dir, binfile_fsize, and binfile_minfree attributes follow the respective p_* attributes defined in audit_binfile(7). The p_flags attribute can be specified to filter the audit data being passed to the configured plugin. Brief descriptions follow.
The directory for storing per host audit data.
The maximum size of each of the stored audit trail files; 0 defaults to no limit.
The minimum free space on file system with binfile_dir before the audit_binfile informs the administrator via audit_warn(8); 0 defaults to no limit.
The hosts in the given connection group allowed to send audit data to server. A comma is a delimiter in case of multiple host entries. If hosts is empty, such connection group is called a wild card connection group. If a new connection cannot be classified to any other (non-wild card) connection group and there is an active wild card connection group configured, the new connection is classified to that connection group. Only one active wild card connection group can be configured.
The audit classes which audit events must belong to in order to be passed on to the currently configured auditd plugin. If p_flags is not specified or if no value has been assigned to p_flags then the default value is all for all audit records. The syntax for specifying audit flags is defined in audit_flags(7).
The following example describes steps to configure audit remote server to listen on specific address. One wild card and one non-wild card connection group will be created. The non-wild card connection group configuration will address remote audit data from tic.cz.example.com and tac.us.example.com, the trail will be stored in /var/audit/remote.
# Print the current audit remote server configuration. # Both server and connection groups (if any) is displayed. auditconfig -getremote # Set address the audit remote server will listen on. auditconfig -setremote server "listen_address=192.168.0.1" # Create two connection groups. Note that by default the # connection group is created with no hosts specified # (wild card connection group). auditconfig -setremote group create clockhouse auditconfig -setremote group create sink # Add hosts to the connection group (convert the wild card # connection group no non-wild card one). Set the storage # directory and activate the connection group. auditconfig -setremote group active clockhouse \ "hosts=tic.cz.example.com,tac.us.example.com; binfile_dir=/var/audit/remote" # Activate the wild card connection group. auditconfig -setremote group active sink # Verify the audit remote server configuration. auditconfig -getremote # Start or refresh the audit service. audit -s
See attributes(7) for descriptions of the following attributes:
The audit service FMRI is svc:/system/auditd:default.