How to enable Solaris 10 Audit

Solaris 10 Audit

1.-Copy the current file Configuration
# cp /etc/security/audit_control /etc/security/audit_control.orig

2.-Enabling the audit (You will need to reboot the server after running bsmconv)
# cd /etc/security
#./bsmconv
# init 6
3.-You can list all the configuration files
root@prod-server# ls -ltr
total 424
-rw-r--r--   1 root     bin          586 Aug 8 2007 kmfpolicy.xml
-rwxr-----   1 root     sys         6834 Sep 3 2009 audit_warn
-rwxr--r--   1 root     sys          296 Sep 3 2009 audit_startup
-rw-r--r--   1 root     sys         1573 Sep 3 2009 audit_class
-rw-r--r--   1 root     sys        16254 Aug 6 2010 priv_names
-rw-r--r--   1 root     sys          290 Aug 6 2010 crypt.conf
-rw-r--r--   1 root     sys         3705 Jan 8 2012 policy.conf
-rwxr-----   1 root     sys         5443 Mar 22 2012 bsmconv
-rwxr-----   1 root     sys         4055 Mar 22 2012 bsmunconv
-rw-r--r--   1 root     sys         8350 Jun 17 2012 prof_attr
drwxr-xr-x   3 root     sys          512 Oct 23 2012 audit
drwxr-xr-x   2 root     sys          512 Oct 23 2012 dev
drwxr-xr-x   2 root     sys          512 Oct 23 2012 lib
drwxr-xr-x   2 root     sys          512 Oct 23 2012 tsol
-rw-r--r--   1 root     other      16185 Oct 23 2012 priv_names.old
-rw-r--r--   1 root     sys        27595 Nov 14 2012 exec_attr
-rw-r--r--   1 root     sys        21286 Jan 11 2013 audit_event
-rw-r--r--   1 root     sys        50902 Jan 11 2013 audit_record_attr
-rwxr-xr-x   1 root     other      21984 Feb 27 11:27 audit_event.new
-rw-r--r--   1 root     sys         3038 Feb 27 11:29 device_policy
-rw-r--r--   1 root     sys          358 Feb 27 11:29 extra_privs
-rw-r--r--   1 root     sys        12129 Apr 26 11:25 auth_attr
-rw-r--r--   1 root     root         146 Jul 22 11:22 audit_control.save22072014
drwxr-xr-x   2 root     sys          512 Jul 22 11:51 spool
-rw-r--r--   1 root     root           0 Jul 22 11:51 device_allocate
-rw-r--r--   1 root     root           0 Jul 22 11:51 device_maps
-rw-r--r--   1 root     sys          245 Jul 22 14:23 audit_user
-rw-r--r--   1 root     sys          277 Jul 22 14:29 audit_control
-rw-rw----   1 root     root          56 Jul 24 10:05 audit_data
root@prod-server:/etc/security#

3.-You can see all the classes that can be checked or audited in the audit_control
root@prod-server:/etc/security# cat audit_class
0x00000000:no:invalid class
0x00000001:fr:file read
0x00000002:fw:file write
0x00000004:fa:file attribute access
0x00000008:fm:file attribute modify
0x00000010:fc:file create
0x00000020:fd:file delete
0x00000040:cl:file close
0x00000100:nt:network
0x00000200:ip:ipc
0x00000400:na:non-attribute
0x00001000:lo:login or logout
0x00004000:ap:application
0x00010000:ss:change system state
0x00020000:as:system-wide administration
0x00040000:ua:user administration
0x00070000:am:administrative (meta-class)
0x00080000:aa:audit utilization
0x000f0000:ad:old administrative (meta-class)
0x00100000:ps:process start/stop
0x00200000:pm:process modify
0x00300000:pc:process (meta-class)
0x00400000:xp:X - privileged/administrative operations
0x00800000:xc:X - object create/destroy
0x01000000:xs:X - operations that always silently fail, if bad
0x01c00000:xx:X - all X events (meta-class)
0x20000000:io:ioctl
0x40000000:ex:exec
0x80000000:ot:other
0xffffffff:all:all classes (meta-class)

4.-You can add the users to audit the user that you need (We will add to Peter and Donny)
root@prod-server:/etc/security# cat audit_user
#
# Copyright (c) 1988 by Sun Microsystems, Inc.
#
# ident "@(#)audit_user.txt     1.6     00/07/17 SMI"
#
#
# User Level Audit User File
#
# File Format
#
#       username:always:never
#
root:lo:no:fr:ps:ex:fd:fc:fm:fa:fr
peter:lo:no:fr:ps:ex:fd:fc:fm:fa:fr
donny:lo:no:fr:ps:ex:fd:fc:fm:fa:fr

5.-After modification you will need to check the sintaxys in audit_user file in order to check that everithing is OK
root@prod-server:/etc/security# audit -v /etc/security/audit_control
syntax ok

6.-In the audit control you can set the minfree % and the directory where you need to log the information
root@prod-server:/etc/security# cat audit_control
#
# Copyright (c) 1988 by Sun Microsystems, Inc.
#
# ident "@(#)audit_control.txt 1.4     00/07/17 SMI"
#
dir:/var/audit
flags:lo,ap,fw,fm,fc,fd,ps,ex
minfree:20
naflags:lo,na
plugin:name=audit_binfile.so;p_dir=/var/audit; p_minfree=20;
plugin:name=audit_syslog.so;p_flags=+lo,-ss
root@prod-server:/etc/security#

7.-After activate then and all the changes were made, please restart the audit
#svcadm restart audit
#cd /var/audit/
#ls -ltr
#praudit 20140722145740.not_terminated.prod-server

Unconfigure the Audit Control in Solaris 10

1.-Unconfigure el Audit
# /usr/sbin/auditconfig -aconf

You can also reboot.
If you modify other lines in the audit_control file, reread the audit_control file.
The audit daemon stores information from the audit_control file internally. To use the new information, either reboot the system or instruct the audit daemon to read the modified file.

# /usr/sbin/audit -s
Regards
Roger

Comments

Last Week Topics

How to break a bonded network interface red hat

1.- Bonding device called bond0 which aggregated by eth0 and eth1 # ifconfig bond0 Link encap:Ethernet HWaddr 44:a8:42:5d:6d:5d inet addr:192.168.1.51 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::5054:ff:fe4d:9004/64 Scope:Link UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1 eth0 Link encap:Ethernet HWaddr 44:a8:42:5d:6d:5d UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 eth2 Link encap:Ethernet HWaddr 44:a8:42:5d:76:29 UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:6 errors:0 dropped:0 overruns:0 frame:0 # cat /proc/net/bonding/bond0 Ethernet Channel Bonding Driver: v3.6.0 (September 26, 2009) Bonding Mode: fault-tolerance (active-backup) Primary Slave: em1 (primary_reselect always) Currently Active Slave: em1 MII Status: up MII Polling Interval (ms): 50 Up Delay (ms): 0 Down Delay (ms): 0 Slave Interface: eth0 MII Status: up Speed: 10000

More Information »

HOW TO ADD A LINE WITH ANSIBLE WITH TAB SPACE IN A FILE

-bash-4.2# vi add_line_syslog.yml --- - name: script in order to add in the server list below with TAB spaces a Line in the SYSLOG CONF hosts: oraking tasks: - name: Add a Line in /etc/syslog.conf in order to delivery that information to another server lineinfile: path: /etc/syslog.conf line: " *.err;auth.notice;auth.info;local0.info \t\t @10.10.10.200 " insertbefore: ' \*.alert;kern.err;daemon.err ' - name: Restart system-log command: /usr/sbin/svcadm restart svc:/system/system-log:default

More Information »

How to configure publisher and install packages in Oracle Solaris 11

Connect to Oracle Support and Download the certificates Set proxy if you have one #export https_proxy=https://usuario:password@191.118.2.110:8080 #export http_proxy=http://usuario:password@191.118.2.110:8080 You can add in the profile this information in order to have them configured in the login 1.-Download the ssl certicates in order to install them in the server 2.-Create a directory /var/pkg/ssl. #mkdir -p 755 /var/pkg/ssl 3.-Copy or Move the cerrtificates # cd /var/pkg/ssl/ # ls -ltr total 53 -rw-r--r-- 1 root root 1679 Mar 27 13:36 Oracle_Solaris_11_Support.key.pem -rw-r--r-- 1 root root 932 Mar 27 13:36 Oracle_Solaris_11_Support.certificate.pem 4.- # pkg set-publisher \ -k /var/pkg/ssl/Oracle_Solaris_11_Support.key.pem \ -c /var/pkg/ssl/Oracle_Solaris_11_Support.certificate.pem \ -g https://pkg.oracle.com/solaris/support/ \ -G http://pkg.oracle.com/solaris/release/ solaris 5.-Verify the new publisher # pkg publ

More Information »

Updating Solaris 11.X to 11.3 and SRU to 11.3.2.4.0

Updating Solaris 11.X to 11.3 Download Repository Certificate s accessing with MOS user https://pkg-register.oracle.com/register/certificate/ Upload them to the server and rename as below pkg.oracle.com.certificate.perm pkg.oracle.com.key.perm root@:~# pkg unset-publisher This option below delete the currently repository and add the new one root@:~# pkg set-publisher -k /root/pkg.oracle.com.key.pem -c /root/pkg.oracle.com.certificate.pem -G "*" -g https://pkg.oracle.com/solaris/support/ solaris root@:~# pkg publisher PUBLISHER TYPE STATUS P LOCATION solaris origin online F http://pkg.oracle.com/solaris/support/ root@# pkg update Validate previous boot environment root@:~# beadm list BE Flags Mountpoint Space Policy Created -- ----- ---------- ----- ------ ------- solaris NR / 12.58G static 2016-03-15 07:11 root@:~# root@:~# PHASE

More Information »

HOW TO SHARE WITH ZFS A FILE SYSTEM IN SOLARIS 11

As root execute the following Create the pool #zpool create ztemp c0d0 Create ZFS #zfs create ztemp/temp Mount ZFS #zfs set mountpoint=/temp ztemp/temp Share ZFS with the option "sharenfs=on" #zfs set sharenfs=on ztemp/temp Share and Select the PATH and SERVERS that you need that mount the ZFS from the NFS Server in our case the servers are oracle1,oracle2 and oracle3 with Read and Write Options #zfs set share=name=temp,path=/temporario,prot=nfs,anon=0,rw=oracle1:oracle2:oracle3 ztemp/temp

More Information »

How to install Explorer Data Collector 8.11 Solaris 11

1.-Download from Oracle Support MOS the patch 22783063 and unzip and run the command below p22783063_8111638_SOLARIS64.zip #./install_stb.sh -verbose Extracting the STB payload ... Determining the check sums ... Sourcing STB library file ... List of Services Tool Bundle Components: Oracle Explorer Data Collector 8.11 Oracle Serial Number in EEPROM (SNEEP) 8.11 Service Tag (ST) packages Oracle Autonomous Crashdump Tool 8.17 (ACT) Would you like to (I)nstall, (X)tract, or (E)xit ? (I by default) X <-----Select Extract (X) Extracting components for Solaris 11/sparc ... Extracting IPS repository Extracting SVR4 packages for Service Tag (ST) packages - Package 5.11_sparc/SUNWsthwreg.sparc.5.10.pkg extracted Extraction to /var/tmp/stb/extract done Removing STB installation area ... 2.- Now you have in the directory "/var/tmp/stb/extract" de ipsrepo # cd /var/tmp/stb/extract rwxr-xr-x 3 102 staff 4 Mar 8 11:28 ipsrepo -rw-r--r--

More Information »

How to see all spfile parameters

SET LINESIZE 300 COLUMN name FORMAT A30 COLUMN value FORMAT A60 COLUMN displayvalue FORMAT A60 SELECT sp.sid, sp.name, sp.value, sp.display_value FROM v$spparameter sp ORDER BY sp.name, sp.sid;

More Information »

What is PaaS, IaaS and SaaS?

Infrastructure Platform as a Service (iPaaS) Integration Platform as a Service (iPaaS) is a suite of cloud services enabling the development, execution, and governance of integration flows connecting any combination of on-premises and cloud-based processes, services, applications, and data within individuals or across multiple organizations. Ease of use Comprehensive integration of toolsets Level of support Readiness to support protocols Flexibility Ability to process, clean, and transform data in formats like XML and JSON; Performance when handling large-scale data operations and concurrent executions; Support for real-time processing and batch data integration; Monitoring for failures, latency, resource utilization, and workflow performance; Security mechanisms for access control, data encryption, and single sign-on integrations Infrastructure as a Service (IaaS) I s a business model that delivers IT infrastructure like computing, storage, and network resources on a p

More Information »

How to Reset the Root Password of RHEL-7 / systemd

1) Boot your system and wait until the GRUB2 menu appears. 2) In the boot loader menu, highlight any entry and press e . 3) Find the line beginning with linux. At the end of this line, append the following: init=/bin/sh Or if you face a panic, instead of "ro" change to "rw" to sysroot as example below: rw init=/sysroot/bin/sh 4) Press F10 or Ctrl+X to boot the system using the options you just edited. Once the system boots, you will be presented with a shell prompt without having to enter any user name or password: sh-4.2# 5) Load the installed SELinux policy: sh-4.2# /usr/sbin/load_policy -i 6) Execute the following command to remount your root partition: sh4.2# mount -o remount,rw / 7) Reset the root password: Raw sh4.2# passwd root 9) Reboot the system. From now on, you will be able to log in as the root user using the new password set up during this procedure.

More Information »

Unix Addiction

Search This Blog