Gopi Desaboyina Solaris Blogs

Just another WordPress.com weblog

Enabling User Audit in Solaris 10

Simple Steps for Enabling Administrative Auditing

1. edit /etc/security/audit_control with below.

dir:/var/audit # Where should system create audit files.
flags:ss,as # define which classes should be audited. ss: System State change like init,reboot
# as: System Wide Administration like disabling/restarting svcs etc. see /etc/security/audit_class for info.
minfree:20 # % of disk should be avilable before writing audit file.
naflags:lo # non-attributable flags. normally this is not attrinuted to any particular user sessions
plugin: name=audit_syslog.so;p_flags=ss # Nice feature in solaris 10. for sending audit info to syslog.

2. Run /etc/security/bsmconv for enabling audit in to kernel and reboot the system.
3. Once system comes backup check for auditd service is running or not. if it’s disabled. enable it using svcadm enable auditd
4. All of the above steps enabled audit for administrative tasks and system state changes.
5. As soon as audit is enable you would see files in /var/audit/ . They are in binary format.
6. To read the binary formated audit files. you can use praudit.
which has various options like short/long form(-s/-l) & -x for xml format which is easy to read

Ex:-
gopid@goptest#pfexec praudit -x 20090830022448.20090830022823.opensolaris
<record version="2" event="profile command" host="localhost" iso8601="2009-08-29 22:28:13.868 -04:00">
<subject audit-uid="gopid" uid="root" gid="staff" ruid="gopid" rgid="staff" pid="1010" sid="3430142913" tid="0 0 localhost"/>
<path>/var/audit</path>
<path>/sbin/init</path>
<cmd><argv>s</argv></cmd>

In the above o/p. init command with s argument is executed by user id root uid which was su’ed from gopid from the path. /var/audit.
7. To get these messages into syslog. enable plugin in /etc/security/audit_control (which we did already in the top) &
then modify /etc/syslog.conf to caputure audit records and insert audit.notice /var/adm/messages. Restart syslogd
8. You would see messages like below in syslog. # Note. it might not be full command as syslog won’t capute more than record size 1024bytes.
opensolaris audit: [ID 702911 audit.notice] profile command ok session 2600360004 by gopid as root:staff from opensolaris proc_auid gopid proc_uid root obj /sbin/init

For more info pls see the following Docs and blogs.
http://docs.sun.com/app/docs/doc/816-4557/audittm-1?a=view
http://www.cuddletech.com/blog/pivot/entry.php?id=647

Advertisements

August 30, 2009 - Posted by | Solaris |

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: