Configuring the Audit Service in Zones (Tasks)

The audit service audits the entire system, including audit events in zones. A system that has installed non-global zones can audit all zones identically, or can configure auditing per zone. For more information, see How to Plan Auditing in Zones.

When you audit the non-global zones exactly as the global zone is audited, the non-global zone administrators might not have access to the audit records. Also, the global zone administrator can modify the audit preselection masks of users in non-global zones.

When you audit the non-global zones individually, the audit records are visible to the non-global zone and to the global zone from the non-global zone root.

How to Configure All Zones Identically for Auditing

This procedure enables audits every zone identically. This method requires the least computer overhead and administrative resources.

Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights.

Configure the global zone for auditing.
Complete the tasks in Configuring the Audit Service (Task Map), with the following exceptions:
- Do not enable perzone audit policy.
- Set the zonename policy. This policy adds the name of the zone to every audit record.
```
# auditconfig -setpolicy +zonename
```
If you modified audit configuration files, copy them from the global zone to every non-global zone.
If you modified the audit_class or audit_event file, copy it in one of two ways:
- You can loopback mount the files.
- You can copy the files.
The non-global zone must be running.
- Mount the changed audit_class and audit_event files as a loopback file system (lofs).
  1. From the global zone, halt the non-global zone.
```
# zoneadm -z non-global-zone halt
```
  2. Create a read-only loopback mount for every audit configuration file that you modified in the global zone.
```
# zonecfg -z non-global-zone
 add fs
    set special=/etc/security/audit-file
    set dir=/etc/security/audit-file
    set type=lofs
    add options [ro,nodevices,nosetuid]
    commit
    end
 exit
```
  3. To make the changes effective, boot the non-global zone.
```
# zoneadm -z non-global-zone boot
```
    Later, if you modify an audit configuration file in the global zone, you reboot each zone to refresh the loopback-mounted files in the non-global zones.
- Copy the files.
  1. From the global zone, list the /etc/security directory in each non-global zone.
```
# ls /zone/zonename/root/etc/security/
```
  2. Copy the changed audit_class and audit_event files to each zone's /etc/security directory.
```
# cp /etc/security/audit-file /zone/zonename/root/etc/security/audit-file
```
    Later, if you change one of these files in the global zone, you must copy the changed file to the non-global zones.
The non-global zones are audited when the audit service is restarted in the global zone or when the zones are rebooted.

Example 28-23 Mounting Audit Configuration Files as Loopback Mounts in a Zone

In this example, the system administrator has modified the audit_class, audit_event, and audit_warn files.

The audit_warn file is read in the global zone only, so does not have to be mounted into the non-global zones.

On this system, machine1, the administrator has created two non-global zones, machine1–webserver and machine1–appserver. The administrator has finished modifying the audit configuration files. If the administrator later modifies the files, the zone must be rebooted to re-read the loopback mounts.

# zoneadm -z machine1-webserver halt
# zoneadm -z machine1-appserver halt
# zonecfg -z machine1-webserver 
 add fs
    set special=/etc/security/audit_class
    set dir=/etc/security/audit_class
    set type=lofs
    add options [ro,nodevices,nosetuid]
    commit
    end
 add fs
    set special=/etc/security/audit_event
    set dir=/etc/security/audit_event
    set type=lofs
    add options [ro,nodevices,nosetuid]
    commit
    end
  exit
# zonecfg -z machine1-appserver 
 add fs
    set special=/etc/security/audit_class
    set dir=/etc/security/audit_class
    set type=lofs
    add options [ro,nodevices,nosetuid]
    commit
    end
...
 exit

When the non-global zones are rebooted, the audit_class and audit_event files are read-only in the zones.

How to Configure Per-Zone Auditing

This procedure enables separate zone administrators to control the audit service in their zone. For the complete list of policy options, see the auditconfig(1M) man page.

Before You Begin

To configure auditing, you must become an administrator who is assigned the Audit Configuration rights profile. To enable the audit service, you must become an administrator who is assigned the Audit Control rights profile. For more information, see How to Use Your Assigned Administrative Rights.

In the global zone, configure auditing.
1. Complete the tasks in Configuring the Audit Service (Task Map).
2. Add the perzone audit policy. For the command, see Example 28-8.
  Note - You are not required to enable the audit service in the global zone.
In each non-global zone that you plan to audit, configure the audit files.
1. Complete the tasks in Configuring the Audit Service (Task Map).
2. Do not configure system-wide audit settings.
  Specifically, do not add the perzone or ahlt policy to the non-global zone.
Enable auditing in your zone.
```
myzone# audit -s
```

Example 28-24 Disabling Auditing in a Non-Global Zone

This example works if the perzone audit policy is set. The zone administrator of the noaudit zone disables auditing for that zone.

noauditzone # auditconfig -getcond
audit condition = auditing
noauditzone # audit -t
noauditzone # auditconfig -getcond
audit condition = noaudit

Skip Navigation Links
Exit Print View
	Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library