Configuring the Audit Service (Tasks)

Before you enable auditing on your network, you can modify the defaults to satisfy your site auditing requirements. Best practice is to customize your audit configuration as much as possible before the first users log in.

If you have implemented zones, you can choose to audit all zones from the global zone or to audit non-global zones individually. For an overview, see Auditing and Oracle Solaris Zones. For planning, see How to Plan Auditing in Zones. For procedures, see Configuring the Audit Service in Zones (Tasks).

Configuring the Audit Service (Task Map)

The following task map points to the procedures for configuring auditing. All tasks are optional.

How to Display Audit Service Defaults

The commands in this procedure display the current audit configuration. The output in this procedure is taken from an unconfigured system.

Before You Begin

You must become an administrator who is assigned the Audit Configuration or Audit Control rights profile. For more information, see How to Use Your Assigned Administrative Rights.

1. Display the preselected classes for attributable events.

   # auditconfig -getflags
   active user default audit flags = lo(0x1000,0x1000)
   configured user default audit flags = lo(0x1000,0x1000)

   lo is the flag for the login/logout audit class. The format of the mask output is (success,failure).

   ---

   Note - To see which events are assigned to a class, and therefore which events are being recorded, run the auditrecord -c class command.

   ---

2. Display the preselected classes for non-attributable events.

   # auditconfig -getnaflags
   active non-attributable audit flags = lo(0x1000,0x1000)
   configured non-attributable audit flags = lo(0x1000,0x1000)

3. Display the audit policy.

   $ auditconfig -getpolicy
   configured audit policies = cnt
   active audit policies = cnt

   The active policy is the current policy, but the policy value is not being stored by the audit service. The configured policy is stored by the audit service, so the policy is restored when you restart the audit service.

4. Display information about the audit plugins.

   $ auditconfig -getplugin
   Plugin: audit_binfile
       Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1;
   
   Plugin: audit_syslog (inactive)
       Attributes: p_flags=;
   
   Plugin: audit_remote (inactive)
       Attributes: p_hosts=;p_retries=3;p_timeout=5;

   The audit_binfile plugin is active by default.

5. Display the audit queue controls.

   $ auditconfig -getqctrl
     no configured audit queue hiwater mark
     no configured audit queue lowater mark
     no configured audit queue buffer size
     no configured audit queue delay
     active audit queue hiwater mark (records) = 100
     active audit queue lowater mark (records) = 10
     active audit queue buffer size (bytes) = 8192
     active audit queue delay (ticks) = 20

   The active queue control is the queue control that is currently used by the kernel. The string no configured indicates that the system is using the default values.

6. Display the audit classes that are preselected for existing users.

   Find the users, then display each user's audit_flags attribute value.

   # who
   adoe    pts/1        Oct 10 10:20    (:0.0)
   adoe    pts/2        Oct 10 10:20    (:0.0)
   jdoe    pts/5        Oct 12 12:20    (:0.0)
   jdoe    pts/6        Oct 12 12:20    (:0.0)
   ...
   # userattr audit_flags adoe
   # userattr audit_flags jdoe

   By default, users are audited for the system-wide settings only.

   For a description of the userattr command, see the userattr(1) man page. For a description of the audit_flags keyword, see the user_attr(4) man page.

How to Preselect Audit Classes

Preselect audit classes that contain the events that you want to monitor. Events that are not in preselected classes are not recorded.

Before You Begin

You must become an administrator who is assigned the Audit Configuration rights profile. For more information, see How to Use Your Assigned Administrative Rights.

1. Determine the current preselected classes.

   # auditconfig -getflags
   ...

   # auditconfig -getnaflags
   ,,,

   For an explanation of the output, see How to Display Audit Service Defaults.

2. Preselect the attributable classes.

   # auditconfig -setflags lo,ps,fw
   user default audit flags = ps,lo,fw(0x101002,0x101002)

   This command audits the events in the login/logout, process start/stop, and file write classes for success and for failure.

   ---

   Note - The auditconfig -setflags command replaces the current preselection, so you must specify all classes that you want to preselect.

   ---

3. Preselect the non-attributable classes.

   The na class contains PROM, boot, and non-attributable mounts, among other events.

   # auditconfig -setnaflags lo,na
   non-attributable audit flags = lo,na(0x1400,0x1400)

   lo and na are the only useful arguments to the -setnaflags option.

   ---

   Note - The auditconfig -setnaflags command replaces the current preselection, so you must specify all classes that you want to preselect.

   ---

How to Configure a User's Audit Characteristics

By preselecting classes on a per user basis rather than on a per system basis, you can sometimes reduce the impact of auditing on system performance. Also, you might want to audit specific users slightly differently from the system.

Audit class preselections for each user are specified by the audit_flags security attribute. These user-specific values, plus the preselected classes for the system, determine the user's audit mask, as described in Process Audit Characteristics.

Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights.

• Set the audit flags in the user_attr or in the prof_attr database.

  For example, you can create a rights profile that defines the rights of a subset of your users. Users who are assigned that rights profile are audited identically.

  • To set audit flags for a user, use the usermod command.

    # usermod -K audit_flags=fw:no jdoe

    The format of the audit_flags keyword is always-audit:never-audit.

    always-audit

    Lists the audit classes that are audited for this user. Modifications to the system-wide classes are prefixed by a caret (^). Classes that are added to the system-wide classes are not prefixed by a caret.

    never-audit

    Lists the audit classes that are never audited for the user, even if these audit events are audited system-wide. Modifications to the system-wide classes are prefixed by a caret (^).

    To specify multiple audit classes, separate the classes with commas. For more information, see the audit_flags(5) man page.

  • To set audit flags for a rights profile, use the profiles command.

    # profiles -p "System Administrator"
    profiles:System Administrator> set name="Audited System Administrator"
    profiles:Audited System Administrator> set always_audit=fw,as
    profiles:Audited System Administrator> end
    profiles:Audited System Administrator> exit

    When you assign the Audited System Administrator rights profile to a user or a role, that user or role is audited for those flags, subject to search order as described in Order of Search for Assigned Security Attributes.

Example 28-1 Changing Which Events Are Audited for One User

In this example, the audit preselection mask for all users is the following:

# auditconfig -getflags
active user default audit flags = ss,lo(0x11000,0x11000)
configured user default audit flags = ss,lo(0x11000,0x11000)

No user except the administrator is logged in.

To lessen the impact of the AUE_PFEXEC audit event on system resources, the administrator does not audit this event at the system level. Rather, the administrator preselects the pf class for a user, jdoe. The pf class is created in Example 28-10.

# usermod -K audit_flags=pf:no jdoe

The userattr command shows the addition.

# userattr audit_flags jdoe
pf:no

When the user jdoe logs in, jdoe's audit preselection mask is a combination of the audit_flags values with the system default values. 289 is the PID of jdoe's login shell.

# auditconfig -getpinfo 289
audit id = jdoe(1234)
process preselection mask = ss,pf,lo(0x0100000008011000,0x0100000008011000)
terminal id (maj,min,host) = 242,511,example1(192.168.160.171)
audit session id = 103203403

Example 28-2 Modifying Audit Preselection Exception for One User

In this example, the audit preselection mask for all users is the following:

# auditconfig -getflags
active user default audit flags = ss,lo(0x11000,0x11000)
configured user default audit flags = ss,lo(0x11000,0x11000)

No users except the administrator are logged in.

The administrator decides not to collect failed ss events for the jdoe user.

# usermod -K audit_flags=^-ss:no jdoe

The userattr command shows the exception.

# userattr audit_flags jdoe
^-ss:no

When the user jdoe logs in, jdoe's audit preselection mask is a combination of the audit_flags values with the system default values. 289 is the PID of jdoe's login shell.

# auditconfig -getpinfo 289
audit id = jdoe(1234)
process preselection mask = +ss,lo(0x11000,0x1000)
terminal id (maj,min,host) = 242,511,example1(192.168.160.171)
audit session id = 103203403

Example 28-3 Auditing Selected Users, No System-Wide Auditing

In this example, the login and role activities of four selected users are audited on the system. No audit classes are preselected for the system.

First, the administrator removes all system-wide flags.

# auditconfig -setflags no
user default audit flags = no(0x0,0x0)

Then, the administrator preselects two audit classes for the four users. The pf class is created in Example 28-10.

# usermod -K audit_flags=lo,pf:no jdoe
# usermod -K audit_flags=lo,pf:no kdoe
# usermod -K audit_flags=lo,pf:no pdoe
# usermod -K audit_flags=lo,pf:no zdoe

Then, the administrator preselects the pf class for the root role.

# userattr audit_flags root
# rolemod -K audit_flags=lo,pf:no root
# userattr audit_flags root
lo,pf:no

To continue to record unwarranted intrusion, the administrator does not change the auditing of non-attributable logins.

# auditconfig -getnaflags
active non-attributable audit flags = lo(0x1000,0x1000)
configured non-attributable audit flags = lo(0x1000,0x1000)

Example 28-4 Removing a User's Audit Flags

In the following example, the administrator removes all user-specific audit flags. Existing processes of users who are currently logged in continue to be audited.

The administrator runs the usermod command with the audit_flags keyword set to no value.

# usermod -K audit_flags= jdoe
# usermod -K audit_flags= kdoe
# usermod -K audit_flags= ldoe

Then, the administrator verifies the removal.

# userattr audit_flags jdoe
# userattr audit_flags kdoe
# userattr audit_flags ldoe

Example 28-5 Creating a Rights Profile for a Group of Users

The administrator wants all administrative rights profiles at the site to explicitly audit the pf class. For every rights profile that is going to be assigned, the administrator creates a site-specific version in LDAP that includes audit flags.

First, the administrator clones an existing rights profile, then changes the name and adds audit flags.

# profiles -p "Network Wifi Management" -S ldap
profiles: Network Wifi Management> set name="Wifi Management"
profiles: Wifi Management> set desc="Audited wifi management"
profiles: Wifi Management> set audit_always=pf
profiles: Wifi Management> exit

After repeating this procedure for every rights profile that is going to be used, the administrator lists the information in the Wifi Management profile.

# profiles -p "Wifi Management" -S ldap info
name=Wifi Management
desc=Audited wifi management
auths=solaris.network.wifi.config
help=RtNetWifiMngmnt.html
always_audit=pf

How to Change Audit Policy

You might change default audit policy to record detailed information about audited commands, to add a zone name to every record, or to satisfy other site security requirements.

Before You Begin

You must become an administrator who is assigned the Audit Configuration rights profile. For more information, see How to Use Your Assigned Administrative Rights.

1. View the current audit policy.

   $ auditconfig -getpolicy
   ...

   For an explanation of the output, see How to Display Audit Service Defaults.

2. View the available policy options.

   $ auditconfig -lspolicy
   policy string    description:
   ahlt             halt machine if it can not record an async event
   all              all policies for the zone
   arge             include exec environment args in audit recs
   argv             include exec command line args in audit recs
   cnt              when no more space, drop recs and keep a cnt
   group            include supplementary groups in audit recs
   none             no policies
   path             allow multiple paths per event
   perzone          use a separate queue and auditd per zone
   public           audit public files
   seq              include a sequence number in audit recs
   trail            include trailer token in audit recs
   windata_down     include downgraded window information in audit recs
   windata_up       include upgraded window information in audit recs
   zonename         include zonename token in audit recs

   ---

   Note - The perzone and ahlt policy options can only be set in the global zone. For the trade-offs to using a particular policy option, see Understanding Audit Policy.

   ---

3. Enable or disable selected audit policy options.

   # auditconfig [ -t ] -setpolicy [prefix]policy[,policy...]

   -t

   Optional. Creates a temporary, or active, policy. You might set a temporary policy for debugging or testing purposes.

   A temporary policy is in effect until the audit service is refreshed, or until the policy is modified by the auditconfig -setpolicy command.

   prefix

   A prefix value of + adds the list of policies to the current policy. A prefix value of - removes the list of policies from the current policy. Without a prefix, audit policy is reset. This option enables you to retain current audit policies.

   policy

   Selects the policy to be enabled or to be disabled.

Example 28-6 Setting the ahlt Audit Policy Option

In this example, strict site security requires the ahlt policy.

# auditconfig -setpolicy -cnt
# auditconfig -setpolicy +ahlt

The plus sign (+) before the ahlt policy adds the policy to current policy settings. Without the plus sign, the ahlt policy replaces all current audit policies.

Example 28-7 Setting a Temporary Audit Policy

In this example, the ahlt audit policy is configured. For debugging, the administrator adds the trail audit policy to the active policy (+trail) temporarily (-t). The trail policy aids in the recovery of damaged audit trails.

$ auditconfig -setpolicy ahlt
$ auditconfig -getpolicy
  configured audit policies = ahlt
  active audit policies = ahlt
$ auditconfig -t -setpolicy +trail
  configured audit policies = ahlt
  active audit policies = ahlt,trail

The administrator disables the trail policy when the debugging is completed.

$ auditconfig -setpolicy -trail
$ auditconfig -getpolicy
  configured audit policies = ahlt
  active audit policies = ahlt

Refreshing the audit service by running the audit -s command also removes this temporary policy, plus any other temporary values in the audit service. For examples of other temporary values, see How to Change Audit Queue Controls.

Example 28-8 Setting the perzone Audit Policy

In this example, the perzone audit policy is added to the existing policy in the global zone. The perzone policy setting is stored as a permanent property, so perzone policy is in effect during the session and when the audit service is restarted. For the zones, the policy is available at the next zone boot

$ auditconfig -getpolicy
  configured audit policies = cnt
  active audit policies = cnt
$ auditconfig -setpolicy +perzone
$ auditconfig -getpolicy
  configured audit policies = perzone,cnt
  active audit policies = perzone,cnt

How to Change Audit Queue Controls

The audit service provides default values for audit queue parameters. You can inspect, change, and temporarily change these values with the auditconfig command.

Before You Begin

You must become an administrator who is assigned the Audit Configuration rights profile. For more information, see How to Use Your Assigned Administrative Rights.

1. View the current values of the audit queue controls.

   $ auditconfig -getqctrl
   ...

   For an explanation of the output, see How to Display Audit Service Defaults.

2. Modify selected audit queue controls.

   For examples and a description of the audit queue controls, see the auditconfig(1M) man page.

   • To modify some or all audit queue controls, use the -setqctrl option.

     # auditconfig [ -t ] -setqctrl hiwater lowater bufsz interval

     For example, set the interval value to 10 without setting the other controls.

     # auditconfig -setqctrl 0 0 0 10

   • To modify a specific audit queue control, specify its option. The -setqdelay option is the equivalent of -setqctrl 0 0 0 interval, as in # auditconfig -setqdelay 10.

     # auditconfig [ -t ] -setqhiwater value
     # auditconfig [ -t ] -setqlowater value
     # auditconfig [ -t ] -setqbufsz value
     # auditconfig [ -t ] -setqdelay value

Example 28-9 Resetting an Audit Queue Control to the Default

The administrator sets all audit queue controls, then changes the lowater value in the repository back to the default.

# auditconfig -setqctrl 200 5 10216 10
# auditconfig -setqctrl 200 0 10216 10
configured audit queue hiwater mark (records) = 200
no configured audit queue lowater mark
configured audit queue buffer size (bytes) = 10216
configured audit queue delay (ticks) = 10
active audit queue hiwater mark (records) = 200
active audit queue lowater mark (records) = 5
active audit queue buffer size (bytes) = 10216
active audit queue delay (ticks) = 10

Later, the administrator sets the lowater value to the default for the current session.

# auditconfig -setqlowater 10
# auditconfig -getqlowater
configured audit queue lowater mark (records) = 10
active audit queue lowater mark (records) = 10

How to Configure the audit_warn Email Alias

The /etc/security/audit_warn script generates mail to notify the administrator of audit incidents that might need attention. You can customize the script and you can send the mail to an account other than root.

If the perzone policy is set, the non-global zone administrator must configure the audit_warn email alias in the non-global zone.

Before You Begin

You must become an administrator who is assigned the solaris.admin.edit/etc/security/audit_warn authorization. By default, only the root role has this authorization. For more information, see How to Use Your Assigned Administrative Rights.

• Configure the audit_warn email alias.

  Choose one of the following options:

  • OPTION 1 – Replace the audit_warn email alias with another email account in the audit_warn script.

    Change the audit_warn email alias in the ADDRESS line of the script to another address:

    #ADDRESS=audit_warn            # standard alias for audit alerts
    ADDRESS=audadmin            # role alias for audit alerts

    ---

    Note - For information about the effects of modifying an audit configuration file, see Audit Configuration Files and Packaging.

    ---

  • OPTION 2 – Redirect the audit_warn email to another mail account.

    Add the audit_warn email alias to the appropriate mail aliases file. You could add the alias to the local /etc/mail/aliases file or to the mail_aliases database in the name space. The /etc/mail/aliases entry would resemble the following if the root and audadmin email accounts were added as members of the audit_warn email alias:

    audit_warn: root,audadmin

    Then, run the newaliases command to rebuild the random access database for the aliases file.

    # newaliases
    /etc/mail/aliases: 14 aliases, longest 10 bytes, 156 bytes total

How to Add an Audit Class

When you create your own audit class, you can place into it just those audit events that you want to audit for your site. This strategy can reduce the number of records that are collected and reduce noise in your audit trail.

When you add the class on one system, copy the change to all systems that are being audited. Best practice is to create audit classes before the first users log in.

Before You Begin

Choose free bits for your unique entry. Verify which bits are available for customer use in the /etc/security/audit_class file.

You must become an administrator who is assigned the solaris.admin.edit/etc/security/audit_class authorization. By default, only the root role has this authorization. For more information, see How to Use Your Assigned Administrative Rights.

1. (Optional) Save a backup copy of the audit_class file.

   # cp /etc/security/audit_class /etc/security/audit_class.orig

2. Add new entries to the audit_class file.

   Each entry has the following format:

   0x64bitnumber:flag:description

   For a description of the fields, see the audit_class(4) man page. For the list of existing classes, read the /etc/security/audit_class file.

   ---

   Tip - The audit configuration files from Oracle Solaris enable you to create your own package that contains these files and replace the Oracle Solaris packages with your site-customized files. When you set the preserve attribute to true in your package, the pkg subcommands, such as verify, fix, revert, and so on, will run relative to your packages. For more information, see the pkg(1) and pkg(5) man pages.

   ---

Example 28-10 Creating a New Audit Class

This example creates a class to hold administrative commands that are executed in a role. The added entry to the audit_class file is as follows:

0x0100000000000000:pf:profile command

The entry creates the new pf audit class. Example 28-11 populates the new audit class.

Troubleshooting

If you have customized the audit_class file, make sure that any audit flags that are assigned directly to users or rights profiles are consistent with the new audit classes. Errors occur when an audit_flags value is not a subset of the audit_class file.

How to Change an Audit Event's Class Membership

You might want to change an audit event's class membership to reduce the size of an existing audit class, or to place the event in a class of its own.

---

Caution - Never comment out events in the audit_event file. This file is used by the praudit command to read binary audit files. Archived audit files might contain events that are listed in the file.

---

When you reconfigure audit event-class mappings on one system, copy the change to all systems that are being audited. Best practice is to change event-class mappings before the first users log in.

Before You Begin

You must become an administrator who is assigned the solaris.admin.edit/etc/security/audit_event authorization. By default, only the root role has this authorization. For more information, see How to Use Your Assigned Administrative Rights.

1. (Optional) Save a backup copy of the audit_event file.

   # cp /etc/security/audit_event /etc/security/audit_event.orig

2. Change the class to which particular events belong by changing the class-list of the events.

   Each entry has the following format:

   number:name:description:class-list

   number

   Is the audit event ID.

   name

   Is the name of the audit event.

   description

   Typically, the system call or executable that triggers the creation of an audit record.

   class-list

   Is a comma-separated list of audit classes.

   ---

   Tip - The audit configuration files from Oracle Solaris allow you to create your own package that contains these files, and replace the Oracle Solaris packages with your site-customized files. When you set the preserve attribute to true in your package, the pkg subcommands, such as verify, fix, revert, and so on will run relative to your packages. For more information, see the pkg(1) and pkg(5) man pages.

   ---

Example 28-11 Mapping Existing Audit Events to a New Class

This example maps an existing audit event to the new class that was created in Example 28-10. By default, the AUE_PFEXEC audit event is mapped to several audit classes. By creating the new class, the administrator can audit AUE_PFEXEC events without auditing the events in the other classes.

# grep pf /etc/security/audit_class
0x0100000000000000:pf:profile command
# grep AUE_PFEXEC /etc/security/audit_event
116:AUE_PFEXEC:execve(2) with pfexec enabled:ps,ex,ua,as,cusa
# pfedit /etc/security/audit_event
#116:AUE_PFEXEC:execve(2) with pfexec enabled:ps,ex,ua,as,cusa
116:AUE_PFEXEC:execve(2) with pfexec enabled:pf
# auditconfig -setflags lo,pf
user default audit flags = pf,lo(0x0100000000001000,0x0100000000001000)