Example -- Creating an Audit Directory of Last Resort
All systems that run the auditing service should have a local file system that can be used if no other file system is available. In this example, a file system is being added to a system named egret. Since this file system is only used locally, none of the steps for a file server are followed.
# newfs /dev/rdsk/c0t2d0 # mkdir /var/audit/egret # grep egret /etc/vfstab /dev/dsk/c0t2d0s1 /dev/rdsk/c0t2d0s1 /var/audit/egret ufs 2 yes - # tunefs -m 0 /var/audit/egret # mount /var/audit/egret # mkdir /var/audit/egret/files # chmod -R 750 /var/audit/egret/files |
Example -- Creating New Audit Partitions
In this example, a new file system is created on two new disks that are to be used by other systems in the network.
# newfs /dev/rdsk/c0t2d0 # newfs /dev/rdsk/c0t2d1 # mkdir /var/audit/egret.1 # mkdir /var/audit/egret.2 # grep egret /etc/vfstab /dev/dsk/c0t2d0s1 /dev/rdsk/c0t2d0s1 /var/audit/egret.1 ufs 2 yes - /dev/dsk/c0t2d1s1 /dev/rdsk/c0t2d1s1 /var/audit/egret.2 ufs 2 yes - # tunefs -m 0 /var/audit/egret.1 # tunefs -m 0 /var/audit/egret.2 # mount /var/audit/egret.1 # mount /var/audit/egret.2 # mkdir /var/audit/egret.1/files # mkdir /var/audit/egret.2/files # chmod -R 750 /var/audit/egret.1/files /var/audit/egret.2/files # grep egret /etc/dfs/dfstab share -F nfs /var/audit/egret.1/files share -F nfs /var/audit/egret.2/files # /etc/init.d/nfs.server stop # /etc/init.d/nfs.server start |
How to Configure the audit_warn Alias
The audit_warn script generates mail to an alias called audit_warn. To send this mail to a valid email address, you can follow either of the following steps:
Become superuser or assume an equivalent role.
- (Optional)
Swap the audit_warn alias with another alias.
One option is to edit the audit_warn script and replace audit_warn with another alias. After you swap audit_warn for root, the line that sends the email message would resemble the following:
/usr/ucb/mail -s "$SUBJECT" root
Ten lines in the script require this change.
- (Optional)
Redirect the audit_warn email to another alias.
The other option is to redirect the email in the /etc/mail/aliases file. In this case, you would add an alias similar to the following to the local /etc/mail/aliases file or to the mail_aliases database in the name space. The new entry would resemble the following if the email were to be redirected to the root alias:
audit_warn: root
How to Enable or Disable an Audit Policy
Audit policies determine the characteristics of the audit records for the local host. Audit policies are either enabled or disabled for a particular configuration. By default, all audit policies are disabled. You need to enable any audit policies that you want to use. For a description of each policy, see "Audit Policies".
Become superuser or assume an equivalent role.
- (Optional)
Review the existing audit policies.
Ensure that you are aware of all the policies that are being used before you change any. The following command lists the enabled policies:
# auditconfig -lspolicy
Enable or disable the audit policy.
auditconfig -setpolicy flagpolicyname
flag
A + enables the policy. A - disables the policy
policyname
Selects the policy to be enabled or disabled
The policy is in effect until the next boot, or until the policy is modified by the auditconfig-setpolicy command.
Example -- Setting the cnt Policy
The cnt policy can be set so that if the audit partitions become full, then processes are not blocked. The records are discarded when the partitions are full, but the system still functions even though the auditing process is not recording the events. The cnt policy should not be set if security is paramount, since unrecorded events can occur if the file system is full.
The following command enables the cnt policy:
# auditconfig -setpolicy +cnt |
For a secure site, you should enable the cnt policy in an appropriate startup file.
How to Enable Auditing
This task starts the auditing service. If the service has been configured, then rebooting the host also starts the service.
Become superuser or assume an equivalent role.
Bring the system into single-user mode.
# /etc/telinit 1
See the telinit(1M) man page for more information.
Run the script to configure the system to run auditing.
Go to the /etc/security directory, and execute the bsmconv script there. The script sets up a standard Solaris machine to run BSM after a reboot. See the bsmconv(1M) man page.
# cd /etc/security # ./bsmconv
Bring the system into multiuser mode.
# /etc/telinit 6
The startup file /etc/security/audit_startup causes the audit daemon to run automatically when the system enters multiuser mode.
Note - The bsmconv script adds a line to the /etc/system file that prevents users from aborting the system with the Stop-A keyboard sequence. To retain the ability to abort the system with the Stop-A keyboard sequence, you must comment out the line in the /etc/system file that reads: set abort_enable=0.
How to Disable Auditing
If BSM is no longer required at some point, you can disable it by running the bsmunconv command. See the bsmconv(1M) man page.
Become superuser or assume an equivalent role.
Bring the system into single-user mode.
# /etc/telinit 1
See the telinit(1M) man page for more information.
Run the script to disable auditing.
Change to the /etc/security directory, and execute the bsmunconv script there.
# cd /etc/security # ./bsmunconv
Bring the system into multiuser mode.
# /etc/telinit 6
Note - The bsmunconv script removes the line in the /etc/system file that allows users to abort the system with the Stop-A keyboard sequence. If you want to continue to prevent users from aborting the system with the Stop-A keyboard sequence after you run the bsmunconv script, you must reenter into the /etc/system file the line that reads: set abort_enable=0.