Example -- Changing Auditing for One User
This example shows an entry that causes audit records to be generated anytime the user sue accesses any programs in the login class (lo).
# grep sue /etc/security/audit_user sue:lo: |
Example -- Creating an Audit Admin Login
If all the audit partitions are full, then it could be impossible to log in to a host. If all logins are audited, then the fact that the audit partitions are full would prevent anyone from completing a login. To avoid this situation, you can set up a special login that is not audited. This new login would allow you to log in to the host even if the audit partitions are full. Then, you could fix the problem with the full partitions. In this example, the user auditadm is defined so that no auditing takes place.
# grep auditadm /etc/security/audit_user auditadmin:no:yes |
Note - The user login that is selected to serve as the audit admin login might need to be monitored in another way.
How to Change Audit Classes
Audit classes are defined in the /etc/security/audit_class file.
Become superuser or assume an equivalent role.
- (Optional)
Save a backup copy of the audit_class file.
# cp /etc/security/audit_class /etc/security/audit_class.save
Add new entries to the audit_class file.
Each entry has the following format:
0xnumber:name:description
number
Defines the unique audit class mask
name
Defines the two-letter name of the audit class
description
Defines the descriptive name of the audit class
Make the new data available to the BSM service.
To use the new data, either reboot the system, or type the following command:
# auditconfig -conf
Example -- Setting a New Audit Class
In step 3, add an entry that resembles the following to set a new audit class called de:
0x00010000:de:device allocation |
How to Change Audit Events
Audit event definitions are stored in the /etc/security/audit_event file. A record is generated only after the event definition has been created and a user-level action generates the event.
Become superuser or assume an equivalent role.
- (Optional)
Save a backup copy of the audit_event file.
# cp /etc/security/audit_event /etc/security/audit_event.save
Add new entries to the audit_event file.
Each entry has the following format:
number:name:description:classes
number
Defines a unique audit event number, which must start after 32768.
name
Defines the unique audit event name.
description
Describes the audit event. Often includes the name of the man page for the audit event
classes
Selects the audit classes that include this event.
Make the new data available to the BSM service.
To use the new data, either reboot the system, or type the following command:
# auditconfig -conf
Example -- Adding a New Audit Event
This example shows an entry that defines a new audit event for a local application.
# grep localapp /etc/security/audit_event 32769:aue_localapp:localapp(1):ap |
Configuring the Audit Service
This section covers the tasks that are required to configure and enable the audit service.
Configuring the Audit Service (Task Map)
The following task map describes the tasks that are required to configure auditing.
Task | Description | For Instructions |
|---|---|---|
1. Plan for auditing | Resolve configuration issues before you configure auditing. | |
2. Create audit partitions | Creates the partitions for the audit files. | |
3. Create the audit_warn alias | Defines who should get email warnings. | |
4. (Optional) Change audit policies | Defines additional audit records or auditing conditions. | |
5. (Optional) Change the audit configuration files | Selects which events, classes, and users require auditing. | |
6. Enable auditing | Turns on auditing. | |
7. (Optional) Disable auditing | Turns off auditing. | |
8. (Optional) Start device allocation | Selects which removable media should be accessed in a more secure mode. |
How to Create Partitions for Auditing
The following procedure shows how to create partitions for auditing, as well as the corresponding file systems and directories. Skip steps as necessary, depending on if you already have an empty partition, or if you have already mounted an empty file system.
Become superuser or assume an equivalent role.
Determine the amount of disk space that is required.
Assign at least 200 Mbytes of disk space per host. However, the disk space requirements are based on how much auditing you perform. So, your requirements might be far greater than this figure. Remember to include a partition for a directory of last resort.
Create dedicated audit partitions, as needed.
This step is most easily done during server installation. You can also create the partitions on disks that have not yet been mounted on the server. For complete instructions on how to create the partitions, see "Creating a UFS File System" in System Administration Guide: Basic Administration.
newfs /dev/rdsk/cwtxdysz
Where /dev/rdsk/cwtxdysz is the raw device name for the partition.
If the local host is to be audited, create an audit directory of last resort for it as well.
Create mount points for each new partition.
mkdir /var/audit/server-name.n
Where server-name.n is the name of the server and a number that identifies each partition. The number is optional, but the number is useful when there are many audit directories.
Add entries to automatically mount the new partitions.
Add a line to the /etc/vfstab file that resembles the following:
/dev/dsk/cwtxdysz /dev/rdsk/cwtxdysz /var/audit/server-name.n ufs 2 yes
- (Optional)
Remove the minimum free space threshold on each partition.
If you use the default configuration, a warning will be generated when the directory is 80 percent full, so there is no reason to reserve free space on the partition.
tunefs -m 0 /var/audit/server-name.n
Mount the new audit partitions.
mount /var/audit/server-name.n
Create audit directories on the new partitions.
mkdir /var/audit/server-name.n/files
Correct the permissions on the mount points and new directories.
chmod -R 750 /var/audit/server-name.n/files
- (Optional)
On a file server, define the file systems to be made available to other hosts.
Often, disk farms are installed to store the audit records. If an audit directory is to be used by several systems, then the directory must be shared through the NFS service. Add a entry resembling the following for each directory to the /etc/dfs/dfstab file.
share -F nfs /var/audit/server-name.n/files
- (Optional)
On a file server, restart the NFS service.
If this command the first share command or set of share commands that you have initiated, it is probable that the NFS daemons are not running. The following commands kill the daemons and restart them. Refer to "Setting Up NFS Services" in System Administration Guide: Resource Management and Network Services for more information about the NFS service.
# /etc/init.d/nfs.server stop # /etc/init.d/nfs.server start