Configuring and Enabling the Auditing Service (Tasks)

After the configuration files have been set up for your site, you need to set up disk space for your audit files. You also need to set up other attributes of the auditing service, and then enable the service. This section also contains procedures to refresh the auditing service when you change configuration settings.

When a non-global zone is installed, you can choose to audit the zone exactly as the global zone is being audited. Alternatively, to audit the non-global zone individually, you can modify the audit configuration files in the non-global zone. To customize audit configuration files, see Configuring Audit Files (Task Map).

How to Create Partitions for Audit Files

The following procedure shows how to create partitions for audit files, as well as the corresponding file systems and directories. Skip steps as necessary, depending on if you already have an empty partition, or if you have already mounted an empty file system.

1. Assume the Primary Administrator role, or become superuser.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. Determine the amount of disk space that is required.

   Assign at least 200 Mbytes of disk space per host. However, how much auditing you require dictates the disk space requirements. So, your disk space requirements might be far greater than this figure. Remember to include a local partition for a directory of last resort.

3. Create dedicated audit partitions, as needed.

   This step is most easily done during server installation. You can also create the partitions on disks that have not yet been mounted on the server. For complete instructions on how to create the partitions, see Chapter 11, Administering Disks (Tasks), in System Administration Guide: Devices and File Systems.

   # newfs /dev/rdsk/cwtxdysz

   where /dev/rdsk/cwtxdysz is the raw device name for the partition.

   If the local host is to be audited, also create an audit directory of last resort for the local host.

4. Create mount points for each new partition.

   # mkdir /var/audit/server-name.n

   where server-name.n is the name of the server plus a number that identifies each partition. The number is optional, but the number is useful when there are many audit directories.

5. Add entries to automatically mount the new partitions.

   Add a line to the /etc/vfstab file that resembles the following:

   /dev/dsk/cwtxdysz /dev/rdsk/cwtxdysz /var/audit/server-name.n   ufs  2  yes

6. (Optional) Remove the minimum free space threshold on each partition.

   If you use the default configuration, a warning is generated when the directory is 80 percent full. The warning removes the reason to reserve free space on the partition.

   # tunefs -m 0 /var/audit/server-name.n

7. Mount the new audit partitions.

   # mount /var/audit/server-name.n

8. Create audit directories on the new partitions.

   # mkdir /var/audit/server-name.n/files

9. Correct the permissions on the mount points and new directories.

   # chmod -R 750 /var/audit/server-name.n/files

10. On a file server, define the file systems to be made available to other hosts.

    Often, disk farms are installed to store the audit records. If an audit directory is to be used by several systems, then the directory must be shared through the NFS service. Add an entry that resembles the following for each directory to the /etc/dfs/dfstab file:

    share -F nfs /var/audit/server-name.n/files

11. On a file server, restart the NFS service.

    If this command is the first share command or set of share commands that you have initiated, the NFS daemons might not be running.

    • If the NFS service is offline, enable the service.

      % svcs \*nfs\*
      disabled       Nov_02   svc:/network/nfs/rquota:default
      offline        Nov_02   svc:/network/nfs/server:default
      # svcadm enable network/nfs/server

    • If the NFS service is running, restart the service.

      % svcs \*nfs\*
      online         Nov_02   svc:/network/nfs/client:default
      online         Nov_02   svc:/network/nfs/server:default
      # svcadm restart network/nfs/server

    For more information about the NFS service, refer to Setting Up NFS Services in System Administration Guide: Network Services. For information on managing persistent services, see Chapter 15, Managing Services (Overview), in System Administration Guide: Basic Administration and the smf(5) man page.

Example 30-12 Creating an Audit Directory of Last Resort

All systems that run the auditing service should have a local file system that can be used if no other file system is available. In this example, a file system is being added to a system that is named egret. Because this file system is only used locally, none of the steps for a file server are necessary.

# newfs /dev/rdsk/c0t2d0
# mkdir /var/audit/egret
# grep egret /etc/vfstab
/dev/dsk/c0t2d0s1  /dev/rdsk/c0t2d0s1  /var/audit/egret ufs  2  yes  -
# tunefs -m 0 /var/audit/egret
# mount /var/audit/egret
# mkdir /var/audit/egret/files
# chmod -R 750 /var/audit/egret/files

Example 30-13 Creating New Audit Partitions

In this example, a new file system is created on two new disks that are to be used by other systems in the network.

# newfs /dev/rdsk/c0t2d0
# newfs /dev/rdsk/c0t2d1
# mkdir /var/audit/egret.1
# mkdir /var/audit/egret.2
# grep egret /etc/vfstab
/dev/dsk/c0t2d0s1  /dev/rdsk/c0t2d0s1  /var/audit/egret.1 ufs  2  yes  -
/dev/dsk/c0t2d1s1  /dev/rdsk/c0t2d1s1  /var/audit/egret.2 ufs  2  yes  -
# tunefs -m 0 /var/audit/egret.1
# tunefs -m 0 /var/audit/egret.2
# mount /var/audit/egret.1
# mount /var/audit/egret.2
# mkdir /var/audit/egret.1/files
# mkdir /var/audit/egret.2/files
# chmod -R 750 /var/audit/egret.1/files /var/audit/egret.2/files
# grep egret /etc/dfs/dfstab
 share -F nfs /var/audit/egret.1/files
 share -F nfs /var/audit/egret.2/files
# svcadm enable network/nfs/server

How to Configure the audit_warn Email Alias

The audit_warn script generates mail to an email alias that is called audit_warn. To send this mail to a valid email address, you can follow one of the options that are described in Step 2:

1. Assume the Primary Administrator role, or become superuser.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. Configure the audit_warn email alias.

   Choose one of the following options:

   • OPTION 1 – Replace the audit_warn email alias with another email account in the audit_warn script.

     Change the email alias in the following line of the script:

     ADDRESS=audit_warn            # standard alias for audit alerts

   • OPTION 2 – Redirect the audit_warn email to another mail account.

     In this case, you would add the audit_warn email alias to the appropriate mail aliases file. You could add the alias to the local /etc/mail/aliases file or to the mail_aliases database in the name space. The new entry would resemble the following if the root mail account was made a member of the audit_warn email alias:

     audit_warn: root

How to Configure Audit Policy

Audit policy determines the characteristics of the audit records for the local host. When auditing is enabled, the contents of the /etc/security/audit_startup file determine the audit policy.

You can inspect, enable, or disable the current audit policy options with the the auditconfig command. You can also modify the policy options to the auditconfig command in the audit_startup script to make permanent audit policy changes.

1. Assume a role that includes the Audit Control profile, or become superuser.

   To create a role that includes the Audit Control profile and to assign the role to a user, see Configuring RBAC (Task Map).

2. Review the audit policy.

   Before auditing is enabled, the contents of the audit_startup file determine the audit policy:

   #! /bin/sh
   ...
   /usr/bin/echo "Starting BSM services."
   /usr/sbin/auditconfig -setpolicy +cnt Counts rather than drops records
   /usr/sbin/auditconfig -conf  Configures event-class mappings
   /usr/sbin/auditconfig -aconf Configures nonattributable events

3. View the available policy options.

   $ auditconfig -lspolicy

   ---

   Note - The perzone and ahlt policy options can be set only in the global zone.

   ---

4. Enable or disable selected audit policy options.

   # auditconfig -setpolicy prefixpolicy

   prefix

   A prefix value of + enables the policy option. A prefix value of - disables the policy option.

   policy

   Selects the policy to be enabled or to be disabled.

   The policy is in effect until the next boot, or until the policy is modified by the auditconfig -setpolicy command.

   For a description of each policy option, see Determining Audit Policy.

Example 30-14 Setting the cnt and ahlt Audit Policy Options

In this example, the cnt policy is disabled and the ahlt policy is enabled. With these settings, system use is halted when the audit partitions are full. These settings are appropriate when security is more important than availability. For restrictions on setting this policy, see Step 3.

The following audit_startup entries disable the cnt policy option and enable the ahlt policy option across reboots:

# cat /etc/security/audit_startup
#!/bin/sh
/usr/bin/echo "Starting BSM services."
/usr/sbin/deallocate -Is
/usr/sbin/auditconfig -conf
/usr/sbin/auditconfig -aconf
/usr/sbin/auditconfig -setpolicy -cnt    
/usr/sbin/auditconfig -setpolicy +ahlt

Example 30-15 Setting the seq Audit Policy Temporarily

In this example, the auditd daemon is running and the ahlt audit policy has been set. The seq audit policy is added to the current policy. The seq policy adds a sequence token to every audit record. This is useful for debugging the auditing service when audit records are corrupted, or when records are being dropped.

The + prefix adds the seq option to the audit policy, rather than replaces the current audit policy with seq. The auditconfig command puts the policy in effect until the next invocation of the command, or until the next boot.

$ auditconfig -setpolicy +seq
$ auditconfig -getpolicy
audit policies = ahlt,seq    

Example 30-16 Setting the perzone Audit Policy

In this example, the perzone audit policy is set in the audit_startup script in the global zone. When a zone boots, the non-global zone collects audit records according to the audit configuration settings in its zone.

$ cat /etc/security/audit_startup
#!/bin/sh
/usr/bin/echo "Starting BSM services."
/usr/sbin/deallocate -Is
/usr/sbin/auditconfig -conf
/usr/sbin/auditconfig -aconf
/usr/sbin/auditconfig -setpolicy +perzone
/usr/sbin/auditconfig -setpolicy +cnt

Example 30-17 Changing an Audit Policy

In this example, the audit daemon is running and audit policy has been set. The auditconfig command changes the ahlt and cnt policies for the duration of the session. With these settings, audit records are dropped, but counted, when the audit file system is full. For restrictions on setting the ahlt policy, see Step 3.

$ auditconfig -setpolicy +cnt
$ auditconfig -setpolicy -ahlt
$ auditconfig -getpolicy
audit policies = cnt,seq

When the changes are put in the audit_startup file, the policies are permanently in effect:

$ cat /etc/security/audit_startup
#!/bin/sh
/usr/bin/echo "Starting BSM services."
/usr/sbin/deallocate -Is
/usr/sbin/auditconfig -conf
/usr/sbin/auditconfig -aconf
/usr/sbin/auditconfig -setpolicy +cnt

The -ahlt option does not have to be specified in the file, because the ahlt policy option is disabled by default. This setting is appropriate when availability is more important than the security that audit records provide.

How to Enable the Auditing Service

This procedure enables the auditing service for all zones. To start the audit daemon in a non-global zone, see Example 30-18.

When auditing is configured securely, the system is in single-user mode until auditing is enabled. You can also enable auditing in multiuser mode.

Before You Begin

You should perform this procedure as superuser after completing the following tasks:

• Planning – Planning Solaris Auditing (Task Map)

• Customizing audit files – Configuring Audit Files (Task Map)

• Setting up audit partitions – How to Create Partitions for Audit Files

• Setting up audit warning messages – How to Configure the audit_warn Email Alias

• Setting audit policy – How to Configure Audit Policy

1. Run the script that enables the auditing service.

   Go to the /etc/security directory, and execute the bsmconv script there.

   # cd /etc/security
   # ./bsmconv
   This script is used to enable the Basic Security Module (BSM).
   Shall we continue with the conversion now? [y/n] y
   bsmconv: INFO: checking startup file.
   bsmconv: INFO: turning on audit module.
   bsmconv: INFO: initializing device allocation.
   
   The Basic Security Module is ready.
   If there were any errors, please fix them now.
   Configure BSM by editing files located in /etc/security.
   Reboot this system now to come up with BSM enabled.

   For the effects of the script, see the bsmconv(1M) man page.

2. Reboot the system.

   # reboot

   The startup file /etc/security/audit_startup causes the auditd daemon to run automatically when the system enters multiuser mode.

   Another effect of the script is to turn on device allocation. To configure device allocation, see Managing Device Allocation (Task Map).

Example 30-18 Enabling Auditing in a Non-Global Zone

In the following example, the global zone administrator turned on perzone policy after auditing was enabled in the global zone and after the non-global zone had booted. The zone administrator of the non-global zone has configured the audit files for the zone, and then starts the audit daemon in the zone.

zone1# svcadm enable svc:/system/auditd

How to Disable the Auditing Service

If the auditing service is no longer required at some point, this procedure returns the system to the system state before auditing was enabled. If non-global zones are being audited, their auditing service is also disabled.

---

Caution - This command also disables device allocation. Do not run this command if you want to be able to allocate devices. To disable auditing and retain device allocation, see Example 30-19.

---

1. Become superuser and bring the system into single-user mode.

   % su
   Password: <Type root password>
   # init S

   For more information, see the init(1M) man page.

2. Run the script to disable auditing.

   Change to the /etc/security directory, and execute the bsmunconv script.

   # cd /etc/security
   # ./bsmunconv

   Another effect of the script is to disable device allocation.

   For information on the full effect of the bsmunconv script, see the bsmconv(1M) man page.

3. Bring the system into multiuser mode.

   # init 6

Example 30-19 Disabling Auditing and Keeping Device Allocation

In this example, the auditing service stops collecting records, but device allocation continues to work. All values from the flags, naflags, and plugin entries in the audit_control file are removed, as are all user entries in the audit_user file.

# audit_control file
…
flags:
minfree:10
naflags:
plugin:

# audit_user file

The auditd daemon runs, but no audit records are kept.

Example 30-20 Disabling Auditing on a Per-Zone Basis

In this example, the auditing service stops running in the zone where the auditing service is disabled. Device allocation continues to work. When this command is run in the global zone, and the perzone audit policy is not set, auditing is disabled for all zones, not just the global zone.

# svcadm disable svc:/system/auditd

How to Update the Auditing Service

This procedure restarts the auditd daemon when you have made changes to audit configuration files after the daemon has been running.

1. Assume a role that includes the Audit Control rights profile, or become superuser.

   To create a role that includes the Audit Control rights profile and assign the role to a user, see Configuring RBAC (Task Map).

2. Choose the appropriate command.
   • If you modify the naflags line in the audit_control file, change the kernel mask for nonattributable events.

     $ /usr/sbin/auditconfig -aconf

     You can also reboot.

   • If you modify other lines in the audit_control file, reread the audit_control file.

     The audit daemon stores information from the audit_control file internally. To use the new information, either reboot the system or instruct the audit daemon to read the modified file.

     $ /usr/sbin/audit -s

     ---

     Note - Audit records are generated based on the audit preselection mask that is associated with each process. Executing audit -s does not change the masks in existing processes. To change the preselection mask for an existing process, you must restart the process. You can also reboot.

     ---

     The audit -s command causes the audit daemon to re-read the directory and minfree values from the audit_control file. The command changes the generation of the preselection mask for processes spawned by subsequent logins.

   • If you modify the audit_event file or the audit_class file while the audit daemon is running, refresh the auditing service.

     Read the modified event-class mappings into the system, and ensure that each user who uses the machine is correctly audited.

     $ auditconfig -conf
     $ auditconfig -setumask auid classes

     auid

     Is the user ID.

     classes

     Are the preselected audit classes.

   • To change audit policy on a running system, see Example 30-15.

Example 30-21 Restarting the Audit Daemon

In this example, the system is brought down to single-user mode, then back up to multiuser mode. When the system is brought into multiuser mode, modified audit configuration files are read into the system.

# init S
# init 6