Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

System Administration Guide: Security Services
Previous Next

Files Used in the Auditing Service

The auditing service uses the following files:

system File

The /etc/system file contains commands that the kernel reads during initialization to customize the system operations. The bsmconv and bsmunconv shell scripts, which are used to activate and deactivate auditing, modify the /etc/system file. The bsmconv shell script adds the following line to the /etc/system file:

set c2audit:audit_load=1

The set c2audit:audit_load=1 entry causes the kernel module for auditing to be loaded when the system is booted. The bsmunconv shell script disables auditing when the system is rebooted. The command removes the c2audit line from the /etc/system file.

syslog.conf File

The /etc/syslog.conf file works with the audit_control file to store audit records in text format. The syslog.conf file can be configured to enable the syslog utility to store audit records. For an example, see How to Configure syslog Audit Logs.

audit_class File

The /etc/security/audit_class file defines the audit classes. Audit classes are groups of audit events. You use the class name in the audit_control file to preselect the classes whose events you want to audit. The classes accept prefixes to select only failed events or only successful events. For more information, see Audit Class Syntax.

The superuser, or an administrator in an equivalent role, can modify the definitions of audit classes. This administrator can define new audit classes, rename existing classes, or otherwise change existing classes by editing the audit_class file in a text editor. For more information, see the audit_class(4) man page.

audit_control File

The /etc/security/audit_control file on each system contains configuration information for the auditd daemon. The file enables every system to mount a remote audit file system to store their audit records.

You can specify five kinds of information in the audit_control file. Each line of information begins with a keyword.

  • flags keyword – Begins the entry that preselects which classes of events are audited for all users on the system. The audit classes that are specified here determine the system-wide audit preselection mask. The audit classes are separated by commas.

  • naflags keyword – Begins the entry that preselects which classes of events are audited when an action cannot be attributed to a specific user. The audit classes are separated by commas. The na event class belongs in this entry. The naflags entry can be used to log other event classes that are normally attributable but cannot be attributed. For example, if a program that starts at boot reads a file, then an fr in the naflags entry would create a record for that event.

  • minfree keyword – Begins the entry that defines the minimum free-space level for all audit file systems. The minfree percentage must be equal to 0 or greater than 0. The default is 20 percent. When an audit file system is 80 percent full, the audit data is then stored in the next available audit directory. For more information, see the audit_warn(1M) man page.

  • dir keyword – Begins the directory definition lines. Each line defines an audit file system and directory that the system uses to store its audit files. You can define one or more directory definition lines. The order of the dir lines is significant. The auditd daemon creates audit files in the directories in the specified order. The first directory is the primary audit directory for the system. The second directory is the secondary audit directory where the auditd daemon creates audit files when the first directory becomes full, and so on. For more information, see the audit(1M) man page.

  • plugin keyword – Specifies the plugin path and the audit classes for the syslog plugin module. The module provides real-time conversion of Solaris audit records to text. The audit classes in the plugin line must be a subset of the audit classes in the flags line and the naflags line.

For more information about the audit_control file, see the audit_control(4) man page.

Example 31-2 Sample audit_control File

The following is a sample audit_control file for the system noddy. noddy uses two audit file systems on the audit server blinken, and a third audit file system that is mounted from the second audit server winken. The third file system is used only when the audit file systems on blinken become full or unavailable. The minfree value of 20 percent specifies that the warning script is run when the file systems are 80 percent full. The settings specify that logins and administrative operations are to be audited. The operations are audited for success and for failure. Failures of all types, except failures to create a file system object, are to be audited. Nonattributable events are also audited. The syslog audit log records fewer audit events. This log contains text summaries of failed logins and failed administrative operations.

flags:lo,am,-all,^-fc
naflags:lo,nt
minfree:20
dir:/etc/security/audit/blinken/files
dir:/etc/security/audit/blinken.1/files
#
# Audit filesystem used when blinken fills up
#
dir:/etc/security/audit/winken
plugin:name=audit_syslog.so.1; p_flags=-lo,-am

audit_event File

The /etc/security/audit_event file contains the default audit event-class mappings. You can edit this file to change the class mappings. When you change class mappings, you must reboot the system or run the auditconfig -conf command to read the changed mappings into the kernel. For more information, see the audit_event(4) man page.

audit_startup Script

The /etc/security/audit_startup script automatically configures the auditing service when the system enters multiuser mode. The auditd daemon starts after the script performs the following tasks:

  • Configures the audit event-class mappings

  • Sets the audit policy options

For more information, see the audit_startup(1M) man page.

audit_user Database

The /etc/security/audit_user database modifies the system-wide preselected classes for an individual user. The classes that you add to a user's entry in the audit_user database modify the settings in the audit_control file in two ways:

  • By specifying audit classes that are always to be audited for this user

  • By specifying audit classes that are never to be audited for this user

Each user entry in the audit_user database contains three fields:

username:always-audit-classes:never-audit-classes

The audit fields are processed in sequence. The always-audit-classes field turns on the auditing of the classes in that field. The never-audit-classes field turns off the auditing of the classes in that field.


Note - Avoid the common mistake of placing the all audit class in the never-audit-classes field. This mistake causes all auditing to be turned off for that user, which overrides the settings in the always-audit-classes field. The setting also overrides system-wide audit class settings in the audit_control file.


The never-audit-classes settings for a user override the system defaults. You might not want to override system defaults. For example, suppose you want to audit everything for user tamiko, except for successful reads of file system objects. You also want to apply the system defaults to tamiko. Note the placement of the second colon (:) in the following audit_user entries:

tamiko:all,^+fr:  correct entry

The correct entry means, “always audit everything, except for successful file-reads.”

tamiko:all:+fr    incorrect entry

The incorrect entry means, “always audit everything, but never audit successful file-reads.” The never-audit-classes field, which follows the second colon, overrides the system defaults. In the correct entry, the always-audit-classes field includes the exception to the all audit class. Because no audit class is in the never-audit-classes field, the system defaults from the audit_control file are not overridden.


Note - Successful events and failed events are treated separately. A process could generate more audit records for failed events than for successful events.


audit_warn Script

The /etc/security/audit_warn script notifies an email alias when the auditd daemon encounters an unusual condition while writing audit records. You can customize this script for your site to warn of conditions that might require manual intervention. Or, you could specify how to handle those conditions automatically. For all error conditions, the audit_warn script writes a message to syslog with the severity of daemon.alert. You can use syslog.conf to configure console display of syslog messages. The audit_warn script also sends a message to the audit_warn email alias. You should set up this alias when you enable auditing.

When the auditd daemon detects the following conditions, the daemon invokes the audit_warn script. The script sends email to the audit_warn alias.

  • An audit directory has become more full than the minfree value allows. The minfree value or soft limit is a percentage of the available space on an audit file system.

    The audit_warn script is invoked with the string soft and the name of the directory whose available space is below the minimum value. The auditd daemon switches automatically to the next suitable directory. The daemon writes the audit files in this new directory until the directory reaches its minfree limit. The auditd daemon then goes to each remaining directory in the order that is listed in the audit_control file. The daemon writes audit records until each directory is at its minfree limit.

  • All the audit directories have reached the minfree threshold.

    The audit_warn script is invoked with the string allsoft. A message is written to the console. Email is also sent to the audit_warn alias.

    When all audit directories that are listed in the audit_control file have reached their minfree threshold, the auditd daemon switches back to the first directory. The daemon writes audit records until the directory becomes completely full.

  • An audit directory has become completely full with no space remaining.

    The audit_warn script is invoked with the string hard and the name of the directory. A message is written to the console. Email is also sent to the audit_warn alias.

    The auditd daemon switches automatically to the next suitable directory with any space available. The auditd daemon goes to each remaining directory in the order that is listed in the audit_control file. The daemon writes audit records until each directory is full.

  • All the audit directories are completely full. The audit_warn script is invoked with the string allhard as an argument.

    By default, a message is written to the console. Email is also sent to the audit_warn alias. Processes that would otherwise generate audit records continue to occur, but audit records are counted. Audit records are not generated. For an example of how to handle this situation, see Example 30-14 and How to Prevent Audit Trail Overflow.

  • An internal error occurs. Possible internal errors include the following:

    • ebusy – Another auditd daemon process is already running

    • tmpfile – A temporary file cannot be used

    • postsigterm – A signal was received during auditing shutdown

  • A problem is discovered with the syntax of the audit_control file. By default, a message is sent to the console. Email is also sent to the audit_warn alias.

For further information, see the audit_warn(1M) man page.

bsmconv Script

The /etc/security/bsmconv script enables the auditing service. The bsmunconv command disables the auditing service. After the bsmconv script is run, you configure the audit directories and audit configuration files. Upon reboot, auditing is enabled.

For further information, see the bsmconv(1M) man page.

Previous Next

 
 
  Published under the terms fo the Public Documentation License Version 1.01. Design by Interspire