How to enable Solaris 10 Audit

Posted by on

Solaris 10 Audit


1.-Copy the current file Configuration
# cp /etc/security/audit_control /etc/security/audit_control.orig

2.-Enabling the audit (You will need to reboot the server after running bsmconv)
# cd /etc/security
#./bsmconv
# init 6
3.-You can list all the configuration files
root@prod-server# ls -ltr
total 424
-rw-r--r--   1 root     bin          586 Aug  8  2007 kmfpolicy.xml
-rwxr-----   1 root     sys         6834 Sep  3  2009 audit_warn
-rwxr--r--   1 root     sys          296 Sep  3  2009 audit_startup
-rw-r--r--   1 root     sys         1573 Sep  3  2009 audit_class
-rw-r--r--   1 root     sys        16254 Aug  6  2010 priv_names
-rw-r--r--   1 root     sys          290 Aug  6  2010 crypt.conf
-rw-r--r--   1 root     sys         3705 Jan  8  2012 policy.conf
-rwxr-----   1 root     sys         5443 Mar 22  2012 bsmconv
-rwxr-----   1 root     sys         4055 Mar 22  2012 bsmunconv
-rw-r--r--   1 root     sys         8350 Jun 17  2012 prof_attr
drwxr-xr-x   3 root     sys          512 Oct 23  2012 audit
drwxr-xr-x   2 root     sys          512 Oct 23  2012 dev
drwxr-xr-x   2 root     sys          512 Oct 23  2012 lib
drwxr-xr-x   2 root     sys          512 Oct 23  2012 tsol
-rw-r--r--   1 root     other      16185 Oct 23  2012 priv_names.old
-rw-r--r--   1 root     sys        27595 Nov 14  2012 exec_attr
-rw-r--r--   1 root     sys        21286 Jan 11  2013 audit_event
-rw-r--r--   1 root     sys        50902 Jan 11  2013 audit_record_attr
-rwxr-xr-x   1 root     other      21984 Feb 27 11:27 audit_event.new
-rw-r--r--   1 root     sys         3038 Feb 27 11:29 device_policy
-rw-r--r--   1 root     sys          358 Feb 27 11:29 extra_privs
-rw-r--r--   1 root     sys        12129 Apr 26 11:25 auth_attr
-rw-r--r--   1 root     root         146 Jul 22 11:22 audit_control.save22072014
drwxr-xr-x   2 root     sys          512 Jul 22 11:51 spool
-rw-r--r--   1 root     root           0 Jul 22 11:51 device_allocate
-rw-r--r--   1 root     root           0 Jul 22 11:51 device_maps
-rw-r--r--   1 root     sys          245 Jul 22 14:23 audit_user
-rw-r--r--   1 root     sys          277 Jul 22 14:29 audit_control
-rw-rw----   1 root     root          56 Jul 24 10:05 audit_data
root@prod-server:/etc/security#

3.-You can see all the classes that can be checked or audited in the audit_control
root@prod-server:/etc/security# cat audit_class
0x00000000:no:invalid class
0x00000001:fr:file read
0x00000002:fw:file write
0x00000004:fa:file attribute access
0x00000008:fm:file attribute modify
0x00000010:fc:file create
0x00000020:fd:file delete
0x00000040:cl:file close
0x00000100:nt:network
0x00000200:ip:ipc
0x00000400:na:non-attribute
0x00001000:lo:login or logout
0x00004000:ap:application
0x00010000:ss:change system state
0x00020000:as:system-wide administration
0x00040000:ua:user administration
0x00070000:am:administrative (meta-class)
0x00080000:aa:audit utilization
0x000f0000:ad:old administrative (meta-class)
0x00100000:ps:process start/stop
0x00200000:pm:process modify
0x00300000:pc:process (meta-class)
0x00400000:xp:X - privileged/administrative operations
0x00800000:xc:X - object create/destroy
0x01000000:xs:X - operations that always silently fail, if bad
0x01c00000:xx:X - all X events (meta-class)
0x20000000:io:ioctl
0x40000000:ex:exec
0x80000000:ot:other
0xffffffff:all:all classes (meta-class)

4.-You can add the users to audit the user that you need (We will add to Peter and Donny)
root@prod-server:/etc/security# cat audit_user
#
# Copyright (c) 1988 by Sun Microsystems, Inc.
#
# ident "@(#)audit_user.txt     1.6     00/07/17 SMI"
#
#
# User Level Audit User File
#
# File Format
#
#       username:always:never
#
root:lo:no:fr:ps:ex:fd:fc:fm:fa:fr
peter:lo:no:fr:ps:ex:fd:fc:fm:fa:fr  
donny:lo:no:fr:ps:ex:fd:fc:fm:fa:fr  

5.-After modification you will need to check the sintaxys in  audit_user file in order to check that everithing is OK
root@prod-server:/etc/security# audit -v /etc/security/audit_control
syntax ok

6.-In the audit control you can set the minfree % and the directory where you need to log the information
root@prod-server:/etc/security# cat audit_control
#
# Copyright (c) 1988 by Sun Microsystems, Inc.
#
# ident "@(#)audit_control.txt  1.4     00/07/17 SMI"
#
dir:/var/audit
flags:lo,ap,fw,fm,fc,fd,ps,ex
minfree:20
naflags:lo,na
plugin:name=audit_binfile.so;p_dir=/var/audit; p_minfree=20;
plugin:name=audit_syslog.so;p_flags=+lo,-ss
root@prod-server:/etc/security#

7.-After activate then and all the changes were made, please restart the audit
#svcadm restart audit
#cd /var/audit/
#ls -ltr
#praudit 20140722145740.not_terminated.prod-server

Unconfigure the Audit Control in Solaris 10

1.-Unconfigure el Audit
# /usr/sbin/auditconfig -aconf

You can also reboot.
If you modify other lines in the audit_control file, reread the audit_control file.
The audit daemon stores information from the audit_control file internally. To use the new information, either reboot the system or instruct the audit daemon to read the modified file.

# /usr/sbin/audit -s
Regards
Roger




Comments

Post a Comment