Configuring the Auditing Service in Zones (Tasks)

The auditing service audits the entire system, including audit events in zones. A system that has installed non-global zones can audit all zones identically, or can control auditing per zone. For background, see Auditing on a System With Zones. To plan, see How to Plan Auditing in Zones.

How to Configure All Zones Identically for Auditing

This procedure enables audits every zone identically. This method requires the least computer overhead and administrative resources.

1. Configure the global zone for auditing.
   1. Complete the tasks in Configuring Audit Files (Task Map).
   2. Complete the tasks in Configuring and Enabling the Auditing Service (Task Map), with the following exceptions.

      • Do not enable perzone audit policy.

      • Do not enable the auditing service. You enable the auditing service after you have configured the non-global zones for auditing.

2. Copy the audit configuration files from the global zone to every non-global zone.

   Copy any of the following files that you have edited: audit_class, audit_control, audit_event, audit_user. Do not copy audit_startup or audit_warn. You do not have to copy files that you have not edited.

   You have two options. As superuser, you can copy the files, or loopback mount the files. The non-global zone must be running.

   • Copy the files.
     1. From the global zone, list the /etc/security directory in the non-global zone.

        # ls /zone/zonename/etc/security/

     2. Copy the audit configuration files to the zone's /etc/security directory.

        # cp /etc/security/audit-file /zone/zonename/etc/security/audit-file

        Later, if you modify an audit configuration file in the global zone, you re-copy the file to the non-global zones.

   • Loopback mount the configuration files.
     1. From the global zone, halt the non-global zone.

        # zoneadm -z non-global-zone halt

     2. Create a read-only loopback mount for every audit configuration file that you modified in the global zone.

        # zonecfg -z non-global-zone
         add filesystem
            set special=/etc/security/audit-file
            set directory=/etc/security/audit-file
            set type=lofs
            add options [ro,nodevices,nosetuid]
            end
         exit

Example 30-22 Loopback Mounting Audit Configuration Files

In this example, the system administrator has modified the audit_class, audit_event, audit_control, audit_user, audit_startup, and audit_warn files.

The audit_startup and audit_warn files are read in the global zone only, so do not have to be loopback mounted into the non-global zones.

On this system, machine1, the administrator has created two non-global zones, machine1–webserver and machine1–appserver.

# zoneadm -z machine1-webserver halt
# zoneadm -z machine1-appserver halt
# zonecfg -z machine1-webserver 
 add filesystem
    set special=/etc/security/audit_class
    set directory=/etc/security/audit_class
    set type=lofs
    add options [ro,nodevices,nosetuid]
    end
 add filesystem
    set special=/etc/security/audit_event
    set directory=/etc/security/audit_event
    set type=lofs
    add options [ro,nodevices,nosetuid]
    end
 add filesystem
    set special=/etc/security/audit_control
    set directory=/etc/security/audit_control
    set type=lofs
    add options [ro,nodevices,nosetuid]
    end 
add filesystem
    set special=/etc/security/audit_user
    set directory=/etc/security/audit_user
    set type=lofs
    add options [ro,nodevices,nosetuid]
    end
 exit
# zonecfg -z machine1-appserver 
 add filesystem
    set special=/etc/security/audit_class
    set directory=/etc/security/audit_class
    set type=lofs
    add options [ro,nodevices,nosetuid]
    end
...
 exit

When the zones are rebooted, the audit configuration files are read-only in the zones. When the global administrator modifies the files in the global zone, the changes are immediately effective in the non-global zones.

How to Configure Per-Zone Auditing

This procedure enables separate zone administrators to control the auditing service in their zone. For the complete list of policy options, see the auditconfig(1M) man page.

1. In the global zone, configure auditing, but do not enable the auditing service.
   1. Complete the tasks in Configuring Audit Files (Task Map).
   2. Complete the tasks in Configuring and Enabling the Auditing Service (Task Map), with the following exceptions.

      • Add the perzone audit policy. For an example, see Example 30-16.

      • Do not enable the auditing service. You enable the auditing service after the non-global zones are configured for auditing.

2. In each non-global zone, configure the audit files.

   ---

   Note - If you are planning to disable auditing in the non-global zone, you can skip this step. To disable auditing, see Example 30-23.

   ---

   1. Complete the tasks in Configuring Audit Files (Task Map).
   2. Follow the procedures that are described in Configuring and Enabling the Auditing Service (Task Map).
   3. Do not configure system-wide audit settings.

      Specifically, do not add the perzone or ahlt to the non-global zone's audit_startup file. And do not run the bsmconv command from the non-global zone.

   4. Enable auditing in your zone.

      When the global zone reboots after auditing is configured, auditing is automatically enabled in your zone.

      If the global zone administrator activates the perzone audit policy after the system is booted, individual zone administrators must enable auditing. For details, see Example 30-18.

3. In the global zone, enable the auditing service.

   For the procedure, see How to Enable the Auditing Service.

Example 30-23 Disabling Auditing in a Non-Global Zone

This example works if the global zone has set the perzone audit policy. The zone administrator of the noaudit zone disables auditing for that zone. Because the administrator planned to disable auditing, she did not edit the audit configuration files.

noauditzone # svcadm disable svc:/system/auditd