Sun Microsystems, Inc.
spacerspacer
spacer www.sun.com docs.sun.com |
spacer
black dot
 
 
24.  Managing the BSM Service (Tasks) Configuring Audit Files How to Change Users' Audit Characteristics  Previous   Contents   Next 
   
 

Example -- Changing Auditing for One User

This example shows an entry that causes audit records to be generated anytime the user sue accesses any programs in the login class (lo).

# grep sue /etc/security/audit_user
sue:lo:

Example -- Creating an Audit Admin Login

If all the audit partitions are full, then it could be impossible to log in to a host. If all logins are audited, then the fact that the audit partitions are full would prevent anyone from completing a login. To avoid this situation, you can set up a special login that is not audited. This new login would allow you to log in to the host even if the audit partitions are full. Then, you could fix the problem with the full partitions. In this example, the user auditadm is defined so that no auditing takes place.

# grep auditadm /etc/security/audit_user
auditadmin:no:yes

Note - The user login that is selected to serve as the audit admin login might need to be monitored in another way.


How to Change Audit Classes

Audit classes are defined in the /etc/security/audit_class file.

  1. Become superuser or assume an equivalent role.

  2. (Optional)

    Save a backup copy of the audit_class file.

    # cp /etc/security/audit_class /etc/security/audit_class.save
  3. Add new entries to the audit_class file.

    Each entry has the following format:

    0xnumber:name:description

    number

    Defines the unique audit class mask

    name

    Defines the two-letter name of the audit class

    description

    Defines the descriptive name of the audit class

  4. Make the new data available to the BSM service.

    To use the new data, either reboot the system, or type the following command:

    # auditconfig -conf

Example -- Setting a New Audit Class

In step 3, add an entry that resembles the following to set a new audit class called de:

0x00010000:de:device allocation

How to Change Audit Events

Audit event definitions are stored in the /etc/security/audit_event file. A record is generated only after the event definition has been created and a user-level action generates the event.

  1. Become superuser or assume an equivalent role.

  2. (Optional)

    Save a backup copy of the audit_event file.

    # cp /etc/security/audit_event /etc/security/audit_event.save
  3. Add new entries to the audit_event file.

    Each entry has the following format:

    number:name:description:classes

    number

    Defines a unique audit event number, which must start after 32768.

    name

    Defines the unique audit event name.

    description

    Describes the audit event. Often includes the name of the man page for the audit event

    classes

    Selects the audit classes that include this event.

  4. Make the new data available to the BSM service.

    To use the new data, either reboot the system, or type the following command:

    # auditconfig -conf

Example -- Adding a New Audit Event

This example shows an entry that defines a new audit event for a local application.

# grep localapp /etc/security/audit_event
32769:aue_localapp:localapp(1):ap

Configuring the Audit Service

This section covers the tasks that are required to configure and enable the audit service.

Configuring the Audit Service (Task Map)

The following task map describes the tasks that are required to configure auditing.

Task

Description

For Instructions

1. Plan for auditing

Resolve configuration issues before you configure auditing.

Chapter 23, Audit Planning

2. Create audit partitions

Creates the partitions for the audit files.

"How to Create Partitions for Auditing"

3. Create the audit_warn alias

Defines who should get email warnings.

"How to Configure the audit_warn Alias"

4. (Optional) Change audit policies

Defines additional audit records or auditing conditions.

"How to Enable or Disable an Audit Policy"

5. (Optional) Change the audit configuration files

Selects which events, classes, and users require auditing.

"Configuring Audit Files"

6. Enable auditing

Turns on auditing.

"How to Enable Auditing"

7. (Optional) Disable auditing

Turns off auditing.

"How to Disable Auditing"

8. (Optional) Start device allocation

Selects which removable media should be accessed in a more secure mode.

"Managing Device Allocation"

How to Create Partitions for Auditing

The following procedure shows how to create partitions for auditing, as well as the corresponding file systems and directories. Skip steps as necessary, depending on if you already have an empty partition, or if you have already mounted an empty file system.

  1. Become superuser or assume an equivalent role.

  2. Determine the amount of disk space that is required.

    Assign at least 200 Mbytes of disk space per host. However, the disk space requirements are based on how much auditing you perform. So, your requirements might be far greater than this figure. Remember to include a partition for a directory of last resort.

  3. Create dedicated audit partitions, as needed.

    This step is most easily done during server installation. You can also create the partitions on disks that have not yet been mounted on the server. For complete instructions on how to create the partitions, see "Creating a UFS File System" in System Administration Guide: Basic Administration.

    newfs /dev/rdsk/cwtxdysz

    Where /dev/rdsk/cwtxdysz is the raw device name for the partition.

    If the local host is to be audited, create an audit directory of last resort for it as well.

  4. Create mount points for each new partition.

    mkdir /var/audit/server-name.n

    Where server-name.n is the name of the server and a number that identifies each partition. The number is optional, but the number is useful when there are many audit directories.

  5. Add entries to automatically mount the new partitions.

    Add a line to the /etc/vfstab file that resembles the following:

    /dev/dsk/cwtxdysz /dev/rdsk/cwtxdysz /var/audit/server-name.n   ufs  2  yes
  6. (Optional)

    Remove the minimum free space threshold on each partition.

    If you use the default configuration, a warning will be generated when the directory is 80 percent full, so there is no reason to reserve free space on the partition.

    tunefs -m 0 /var/audit/server-name.n
  7. Mount the new audit partitions.

    mount /var/audit/server-name.n
  8. Create audit directories on the new partitions.

    mkdir /var/audit/server-name.n/files
  9. Correct the permissions on the mount points and new directories.

    chmod -R 750 /var/audit/server-name.n/files
  10. (Optional)

    On a file server, define the file systems to be made available to other hosts.

    Often, disk farms are installed to store the audit records. If an audit directory is to be used by several systems, then the directory must be shared through the NFS service. Add a entry resembling the following for each directory to the /etc/dfs/dfstab file.

    share -F nfs /var/audit/server-name.n/files
  11. (Optional)

    On a file server, restart the NFS service.

    If this command the first share command or set of share commands that you have initiated, it is probable that the NFS daemons are not running. The following commands kill the daemons and restart them. Refer to "Setting Up NFS Services" in System Administration Guide: Resource Management and Network Services for more information about the NFS service.

    # /etc/init.d/nfs.server stop
    # /etc/init.d/nfs.server start
 
 
 
  Previous   Contents   Next