For more information see Part VII Solaris Auditing in System Administration Guide: Security Services
Auditing is collecting data about system resource use and assigning responsibility for actions that take place on a host.
An action that is audited is called a system event. All events are described in the file /etc/security/audit_events.
System events are grouped in event classes, which are user configurable. Classes have short description in the file /etc/security/audit_class. Events can be attributable and non-attributable. The former are the ones that can be related to a user, the latter are not user-related.
Each audit event is described by an audit record, which consists of audit tokens. Each token describes an attribute of an audit event. Attributes are described in the file /etc/security/audit_record_attr.
Audit records are stored in audit files in binary format in audit directory. A collection of audit files from all auditing systems is called an audit trail.
Public objects are files that are owned by root and world readable. Audit Policy is a set of options that governs which events are collected and what happens when audit directory is full.
Audit is configured on a system wide level using /etc/security/audit_control file and/or on a user by user basis via /etc/security/audit_user database. Entries in this file make exceptions for system wide auditing. Audit events can also be added dynamically to a session or process by specifying classes as arguments for auditconfig command.
auditconfig -lspolicy command shows the short description of available policies. By default, only cnt policy is enabled.
Before auditing is started, an administrator should 1. configure audit policy by modifying /etc/security/audit_startup file 2. review mappings of audit events to audit classes and change them if necessary 3. decide which classes to audit on a system wide basis and assign them as values to flags and naflags parameters in /etc/security/audit_control file. “+” sign in front of an audit class means auditing only successful event, “-” sign - failed event, no sign - both. 4. decide which classes to audit on user by user basis and assign them to specific users in /etc/security/audit_user file 5. change audit files location if necessary (parameter dir in audit_control file defaults for /var/audit) 6. change the percentage of free disk space left in audit directory (minfree parameter in audit_control file defaults to 20%) 7. configure an email recepient for disk space warnings in /etc/security/audit_warn file (audit_warn alias is not setup by default in /etc/mail/aliases) 8. decide whether audit records will be written via syslog in addition to binary files 9. enable auditing by running bsmconv, which will instruct the system to load BSM kernel module at the next boot
Here is a quick example of the above:
# cd /etc/security # vi audit_startup /usr/bin/echo "Starting BSM services." /usr/sbin/auditconfig -setpolicy +cnt /usr/sbin/auditconfig -setpolicy +argv /usr/sbin/auditconfig -conf /usr/sbin/auditconfig -aconf # vi audit_control dir:/var/audit flags:lo,ss,as,ua minfree:20 naflags:lo,na plugin:name=audit_syslog.so.1; p_flags=-lo,-na,-ss,-as,-ua,-ex # vi audit_user root:lo:no sys:lo:no # vi /etc/syslog.conf audit.notice /var/log/audit.log # touch /var/log/audit.log # svcadm refresh system-log # vi /etc/logadm.conf # # rotate /var/log/audit.log # /var/log/audit.log -C 30 -P 'Tue Aug 19 04:00:00 2008' -a 'kill -HUP `cat /var/run/syslog.pid`' -p 1d -s 1b -z 0 # vi /etc/mail/aliases # Alias for sending low disk space alerts for /var/audit directory audit_warn: sysadm@gamesys.an # newaliases # ./bsmconv # reboot
auditreduce and praudit are used to reduce and print logged audit events, for example:
# auditreduce -c lo | praudit -s
# shutdown -is -g0 -y # /etc/security/bsmunconv # reboot
# svcadm disable auditd
If naflags is changed in audit_control file, then run
# /usr/sbin/auditconfig -aconf
For changes in other parameters in audit_control instruct auditd to re-read it
# /usr/sbin/audit -s
If audit_event or audit_class is modified, then run
# auditconfig -conf # auditconfig -setumask <uid> <classes>
where <uid> is an audited User ID and <classes> are classes that are audited for a given user.