48283793-solaris10LogAcctAudit

1

Logging, Accounting, Auditing in Solaris 10Dr. Ruediger RiedigerSunCERT / IT Security MonitoringSun Microsystems GmbH

1

© 2009, Sun Microsystems Inc. 2

Logging


System Log - syslogd(1M)• System service: svc:/system/system-log• Reads from the STREAMS log driver /dev/log• Optional listens on 514/udp> Default: off> Deprecated: LOG_FROM_REMOTE in /etc/default/syslogd> Check status:

# svccfg -vs svc:/system/system-log listprop config/log_from_remote

• Configuration file /etc/syslog.conf• Format:> time host process: [ID msgid facility.priority] message


Facilities and severityseverity

alert

errwarningnoticeinfodebug[none]

emerg

crit

facilityuserkernmaildaemon

news

auditlocal0-7mark

authlpr

uucpcron

• Log to console> /dev/sysmsg

• Log into file> /var/adm/messages

• Post to (logged in) users> *, root

• Send via udp (e.g. to LOGHOST)> @loghost


Simple log integrity/heartbeat• Syslog allows mark (timestamp) message in log file> Writes to mark.info> Default: every 20 minutes

• Format:> time host -- MARK --

• Detect gaps in log file


Non-Syslog log files• /var/adm/sulog – text log for su(1M)• /var/adm/loginlog – failed logins via login(1)• /var/cron/log – text log for cron(1M)• /var/svc/log/*.log – service management logs• /var/fm/fmd/{err,flt}log – fault management

binary logs, review via fmdump(1M)• /var/log/xferlog – in.ftpd(1M) access log• /var/{apache,apache2}/logs/*_log – apache(1M) web server log files


Log Rotation - logadm(1M)• Cron driven log rotation tool> 10 3 * * * /usr/sbin/logadm

• Configuration file /etc/logadm.conf• Good for all endlessly growing log files, text and

binary• Supported options:> Rotate on size or time period> Execute command before, during, or after rotation> Compress, rename, or purge rotated files


Log file management• Use NTP to ensure correct time stamps• Group logs according to sources (facilities)> auth → /var/log/authlog> daemon → /var/log/daemonlog> user → /var/log/userlog

• Use your record retention policy to determine log rotation> If in question: rotate daily and keep for 30 days

'/var/log/{auth,user,daemon,sys}log' -a 'kill -HUP `cat /var/run/syslog.pid`' -p 1d -A 30d -z 1


Logging failed logins to loginlog• login(1) logs failed login attempts, but not per

default:> Check out loginlog(4), and create the loginlog file

– # touch /var/adm/loginlog

– # chmod 600 /var/adm/loginlog

– # chgrp sys /var/adm/loginlog

> Will per default only report 5 successive failed login attempts

• Configurable in /etc/default/login, but cannot log every failed attempt> RETRIES=1 … 15


Logging failed logins to syslog• Use syslog: configure policy in /etc/default/login> Reports to auth.notice & auth.crit> SYSLOG=YES> SYSLOG_FAILED_LOGINS=0

records every failed login... but> requires: RETRIES=1

– Also affects account locking– Defines “grace” attempts, not counting as invalid

Confusing documentation!> Does not record non-existing user names (ever typed

your password as user name?)


Logging failed ssh logins• Nothing to do – works out of the box• Check configuration in /etc/ssh/sshd_config> SyslogFacility auth> LogLevel info


Best Practices• Forward to secure logging server, e.g. from local

zone into global zone> Define “loghost” as global zone IP on local zone> Allow global zone syslogd to receive messages

• Review file permissions> Writable & readable only by the owner> Prevents unprivileged users to change or peruse log files

• Include log files in backup


Review Log files• Establish a baseline of expected events and

escalate exceptions if required• Use a host-based IDS to detect abnormal behavior


Accounting


last(1) - login and logout information• Based on /var/adm/wtmpx• Always use “last -a” to prevent incomplete host

names• Format:> user tty from until (duration) host

• Includes reboot information (user: reboot)• Requires full wtmpx> Beware of log rotation caused by accounting (through runacct(1m))!


Example: lastuser1 console Mon Apr 27 12:24 - 13:42 (1+01:17) :0user1 pts/2 Mon Apr 27 07:43 - 04:03 (20:20) XXX.sun.comuser1 sshd Mon Apr 27 07:43 - 07:43 (00:00) XXX.sun.comuser2 pts/1 Mon Apr 27 05:06 - 10:04 (04:58) YYY.sun.comuser2 sshd Mon Apr 27 05:06 - 07:43 (02:37) YYY.sun.comreboot system boot Mon Apr 27 05:05reboot system down Mon Apr 27 05:05user2 pts/1 Mon Apr 27 04:59 - down (00:05) YYY.sun.comuser2 sshd Mon Apr 27 04:59 - 05:04 (00:05) YYY.sun.com


(Legacy) Accounting data• Utilities in /usr/lib/acct/*• Connect time accounting recorded in /var/adm/wtmpx

> Entries written by various programs> acctcon(1M) processes these records

• Process accounting recorded in /var/adm/pacct> Entries written by kernel on process termination> acctcom(1) processes these records> Only ps(1) will show running processes


Enable (Legacy) System Accounting• Required packages: SUNWaccr, SUNWaccu• Install startup/shutdown scripts

> /etc/init.d/acct → /etc/rc2.d/S22acct, /etc/rc0.d/K22acct

> Start: /usr/lib/acct/startup> Stop: /usr/lib/acct/shutacct

• Prime/Nonprime configuration: /etc/acct/holidays> '*' are comments> First line sets current year and starting times> Successive lines define holidays (only date is used)> Must be updated every year


Maintaining Accounting Data• User: adm> Every hour: /usr/lib/acct/ckpacct

periodically check the size of /var/adm/pacct> Daily: /usr/lib/acct/runacct

nightly accounting, reports in /var/adm/acct/nite/*, summary in /var/adm/acct/sum/*

> Monthly: /usr/lib/acct/monacctmonthly summary, reports in /var/adm/acct/fiscal/*

• Administrator (root) only:> Weekly: /usr/lib/acct/dodisk

required for disk accounting


Example crontabs• crontab -l adm

00 * * * * /usr/lib/acct/ckpacct30 2 * * * /usr/lib/acct/runacct 2>

/var/adm/acct/nite/fd2log30 7 1 * * /usr/lib/acct/monacct

• crontab -l root30 22 * * 4 /usr/lib/acct/dodisk


Accounting reports• Last Login Date: /var/adm/acct/sum/loginlog> Daily generated by /usr/lib/acct/lastlogin

• Monthly reports: /var/adm/acct/fiscal/*> Total Command Summary: cmsMM> Total Accounting Summary: tacctMM> Readable report: fiscrptMM

• Daily reports: /var/adm/acct/sum/*> Accumulated Command Summary: cms> Daily Accounting: tacctMMDD> Readable report: rptMMDD


Example: acctcomCOMMAND START END REAL CPU

MEANNAME USER TTYNAME TIME TIME (SECS) (SECS)

SIZE(K)less root pts/6 14:35:59 14:38:51 172.56 0.01

1680.00sh root pts/6 14:35:59 14:38:51 172.56 0.01

2392.00man root pts/6 14:35:59 14:38:51 172.64 0.01

4336.00tcsh root pts/6 14:38:55 14:38:55 0.01 0.01

1976.00#sendmail root ? 13:19:09 13:19:09 0.23 0.02

6644.00sendmail user1 ? 13:19:09 13:19:09 0.54 0.05

5116.80#identd nobody ? 13:19:09 13:19:09 0.02 0.01

2264.00#sendmail root ? 13:19:09 13:19:10 1.09 0.01

8280.00#sendmail root ? 13:21:07 13:21:07 0.01 0.01

1120.00sendmail smmsp ? 13:21:07 13:21:07 0.01 0.01

1776.00imapd-20 user2 ? 13:23:57 13:23:57 0.02 0.01

7040.00imapd-20 user2 ? 13:23:57 13:23:57 0.02 0.01

6984.00


Example: prtacct LOGIN CPU (MINS) KCORE-MINS CONNECT (MINS) DISK # OF # OF # DISK FEE

UID NAME PRIME NPRIME PRIME NPRIME PRIME NPRIME BLOCKS PROCS SESS SAMPLES

0 TOTAL 0 192 0 16284682 0 27386 68887728 20380 195 32 0

0 root 0 14 0 448891 0 0 31808798 3337 0 2 0

1 daemon 0 0 0 0 0 0 24 0 0 2 0

2 bin 0 0 0 0 0 0 756 0 0 2 0

4 adm 0 0 0 9 0 0 3878 630 0 2 0

5 uucp 0 0 0 0 0 0 3416 0 0 2 0

25 smmsp 0 0 0 3 0 0 8 151 0 2 0

50 gdm 0 0 0 0 0 0 4 0 0 2 0


Example: acctcms TOTAL COMMAND SUMMARY

COMMAND NUMBER TOTAL TOTAL TOTAL MEAN MEAN HOG CHARS BLOCKS

NAME CMDS KCOREMIN CPU-MIN REAL-MIN SIZE-K CPU-MIN FACTOR TRNSFD READ

TOTALS 20380 16290228.00 192.25 14797.36 84735.67 0.01 0.01 40018702336 385812

firefox- 5 7188422.00 99.63 747.83 72149.49 19.93 0.13 8701902848 35107

soffice. 6 4616230.50 29.55 559.39 156209.69 4.93 0.05 2946649856 25335

thunderb 8 3924068.00 26.44 1536.49 148430.91 3.30 0.02 5315326464 10199

spamd 7 443109.12 12.29 3656.69 36050.53 1.76 0.00 3060531200 160792

imapd-20 464 24877.94 2.71 4118.54 9180.62 0.01 0.00 5853976576 42724

sshd 22 18831.21 9.02 46.90 2088.37 0.41 0.19 3069317376 339


Troubleshooting• Date changes> wtmpfix(1M) utility adjusts time stamps based on date

change records in wtmpx• Corrupted wtmpx> fwtmp(1M) converts wtmpx files into ASCII (for editing),

“fwtmp -ic” converts it back• Corrupted tacct> acctmerg(1M) converts tacct files into ASCII (for

editing), “acctmerg -i” converts it back> Merge with tacct.prev for consistency


Troubleshooting• File size limit> Some accounting binaries are not large-file aware> /var/adm/pacct with ~2GB in size might cause trouble> This should not happen if ckpacct(1M) is not run

regularly (which would run “turnacct switch”)> Manually run runacct(1M)

• runacct failures> Review /var/adm/acct/nite/activeMMDD> Remove .../nite/lastdate, .../nite/lock*> “runacct MMDD” as user adm to rerun for a specific date


Extended Accounting data• New in Solaris 10, part of Resource Manager• Based on Projects> Labels usage records with the project they belong to

• Process accounting recorded in/var/adm/exacct/proc

• Task accounting recorded in /var/adm/exacct/task

• Flow accounting recorded in /var/adm/exacct/flow

• Records are accessed through libexacct(3LIB)


Enable Extended System Accounting• Part of core Solaris installation• Create /etc/acctadm.conf

> # acctadm -e extended -f /var/adm/exacct/proc process

> # acctadm -e extended,mstate -f /var/adm/exacct/task task

> # acctadm -e extended -f /var/adm/exacct/flow flow

• Install startup/shutdown scripts> /etc/init.d/acctadm → /etc/rc2.d/S22acctadm, /etc/rc0.d/K22acctadm

> Runs /usr/sbin/acctadm -u> Actually doesn't do anything on shutdown

• Can run in parallel with legacy accounting


Printing exacct records: dumpexacct#!/usr/bin/perl use strict; use warnings; use Sun::Solaris::Exacct qw(:EXACCT_ALL);

die("Usage is dumpexacct <exacct file>\n") unless (@ARGV == 1);

# Open the exact file and display the header information. my $ef = ea_new_file($ARGV[0], &O_RDONLY) || die(error_str()); printf("Creator: %s\n", $ef->creator()); printf("Hostname: %s\n\n", $ef->hostname());

# Dump the file contents while (my $obj = $ef->get()) { ea_dump_object($obj); }

# Report any errors if (ea_error() != EXR_OK && ea_error() != EXR_EOF) { printf("\nERROR: %s\n", ea_error_str()); exit(1); } exit(0);


lastcomm(1) - last commands executed• Works on records from legacy and extended

accounting> lastcomm -f /var/adm/pacct> lastcomm -f /var/adm/exacct/proc

• Lists terminated processes


Example: lastcommls root pts/6 0.01 secs Wed May 6 14:28mv S root pts/6 0.01 secs Wed May 6 14:28tail root pts/6 0.01 secs Wed May 6 14:28tcsh F root pts/6 0.00 secs Wed May 6 14:28sendmail SF root __ 0.02 secs Wed May 6 14:27identd S nobody __ 0.01 secs Wed May 6 14:27sendmail user1 __ 0.05 secs Wed May 6 14:27sendmail SF root __ 0.02 secs Wed May 6 14:27sendmail F root __ 0.00 secs Wed May 6 14:27identd S nobody __ 0.01 secs Wed May 6 14:27sendmail SF root __ 0.02 secs Wed May 6 14:27procmail S user1 __ 0.04 secs Wed May 6 14:27procmail F user1 __ 0.00 secs Wed May 6 14:27whatlist user1 __ 0.12 secs Wed May 6 14:27procmail F user1 __ 0.00 secs Wed May 6 14:27


So what is useful, security wise?• last(1):/var/adm/wtmpx is valuable for login records

• lastcomm(1):/var/adm/pacct or /var/adm/exacct/proc is valuable for reviewing terminated processes• Don't forget to rotate these logs:> Legacy: “ckpacct” or “turnacct switch”> Extended: “logadm” with

“-b 'acctadm -x process'-a 'acctadm -e extended process'”


Caveats• Legacy Accounting cycles /var/adm/wtmpx• Records program file names (only) for accounting> No path information

• Records effective user id ($>)> Setuid: changes effective user id> No information on real user id ($<)


Auditing


BSM – Basic Security Module• C2 compliant Auditing [historic]> provide system level audit trail> audit the use of identification and authentication

mechanisms> audit file access (open, close, read, write, create) and

program initiation> audit file/object deletion> audit administrative actions

• Solaris SunSHIELD> Kernel Auditing, User-space hooks> Device Allocation Mechanism


Why you need it?• 80% of successful attacks originate on the inside of

a network – by authorized users• Monitoring a system might show that root is editing

a system file. But who is root?• Roles allow restrictions on access to privileged

accounts• Auditing tracks real (login) and effective user id and

associates it with activity• Caveat: what is expected behavior?• Performance: yes, you will see impact


Resources• Auditing Blueprint

http://www.sun.com/blueprints/0201/audit_config.pdf• Solaris Security Toolkit (JASS)

http://www.sun.com/software/security/jass/• System Administration Guide: Security Services

http://dlc.sun.com/pdf/816-4557/816-4557.pdf

http://www.sun.com/blueprints/0201/audit_config.pdf

http://www.sun.com/software/security/jass/

http://dlc.sun.com/pdf/816-4557/816-4557.pdf


How to enable?• Configure /etc/security/audit_*> /etc/security/audit_startup> /etc/security/audit_control> /etc/security/audit_user

• Change to “Single User” (system maintenance) mode• Enable and reboot> # /usr/sbin/shutdown -i1> # /etc/security/bsmconv> # /usr/sbin/shutdown -i6


bsmconv(1M)• Enables audit daemon: svc:/system/auditd• Enables c2audit kernel module in /etc/system• Disables volume manager: svc:/system/filesystem/volfs

• Enables device allocation: mkdevalloc(1M)• Recommended: disable keyboard abort (Stop-A)> Was default for Solaris <10> In /etc/default/kbd: KEYBOARD_ABORT=disable> Make current: /usr/bin/kbd -i> If left enabled, can be audited for


How does is work?• Kernel loads c2audit module• Through SMF:> /etc/security/audit_startup is executed> /usr/sbin/auditd is started

• Kernel selects events according to mask> audit_control flags & audit_user

• Kernel sends events to auditd• auditd records events> configuration from audit_control


audit_startup(1M)• Initializes the audit subsystem

/usr/bin/echo "Starting BSM services."/usr/sbin/deallocate -Is/usr/sbin/auditconfig -setpolicy +cnt/usr/sbin/auditconfig -setpolicy +argv # or +argv,arge/usr/sbin/auditconfig -conf/usr/sbin/auditconfig -aconf

• Record current system statuscontrol_dir=`/usr/bin/grep '^dir:' /etc/security/audit_control | \ /usr/bin/sed 's/.*://' | /usr/bin/tr -s ',' ' '`for dir in ${control_dir} /var/audit; do if [ -d ${dir} -a -w ${dir} ]; then break; fidone/usr/bin/ps -ef > ${dir}/`/usr/bin/date '+%Y%m%d%H%M%S'`.startup.`/usr/

bin/hostname`/usr/bin/svcs -a > ${dir}/`/usr/bin/date '+%Y%m%d%H%M

%S'`.smf.`/usr/bin/hostname`


audit_control(4)• Contains control information for system audit

daemondir:/var/audit/mp/hostname (e.g. mounted via NFS)dir:/var/audit/hostname (e.g. local)flags:lo,ad,amminfree:20naflags:lo,na,ad,am

• Make directory readable/writable for owner only• If /var/audit is on a dedicated file system:> # /usr/sbin/tunefs -m 0 /var/audit


audit_user(4)• Stores per-user auditing preselection data• E.g. use for all roles

root:lo,am,ex,cs,cf,vs:no• Selection options: ex, +ex, -ex, ^ex


audit_class(4) and audit_event(4)• Stores class definitions and maps events to classes• Listing all events:> # bsmrecord -ha > bsmrecord.html

• Allows custom classes in audit_class:0x01000000:cs:custom audit events0x02000000:cf:custom ancillary audit events0x04000000:vs:virtualization_software

• Add cs,cf to selected events in audit_event:10:AUE_CHMOD:chmod(2):fm,cf11:AUE_CHOWN:chown(2):fm,cs...


JASS suggestion for audit_event(4)10:AUE_CHMOD:chmod(2):fm,cf11:AUE_CHOWN:chown(2):fm,cs24:AUE_CHROOT:chroot(2):pm,cs38:AUE_FCHOWN:fchown(2):fm,cs39:AUE_FCHMOD:fchmod(2):fm,cf40:AUE_SETREUID:setreuid(2):pm,cs69:AUE_FCHROOT:fchroot(2):pm,cs200:AUE_SETUID:old setuid(2):pm,cs203:AUE_NICE:old nice(2):pm,cs212:AUE_PRIOCNTLSYS:priocntlsys(2):pm,cs215:AUE_SETEUID:seteuid(2):pm,cs237:AUE_LCHOWN:lchown(2):fm,cs251:AUE_ACLSET:acl(2) - SETACL command:fm,cf252:AUE_FACLSET:facl(2) - SETACL command:fm,cf40700:AUE_ldoms:ldoms administration:vs


audit(1M)• Communicates with auditd(1M)• Always use audit(1M)> “audit -s” – starts auditd or re-reads configuration

files> “audit -n” – closes and opens log files


audit_warn(1M)• Script to report all auditing warnings/errors• Only called if audit_binfile.so.1 plugin is used• Requires “audit_warn” email alias to be configured

in /etc/mail/aliases> audit_warn: root

• Uses logger(1) to record to syslog daemon.alert facility – make sure it is captured


Rotating audit logs?• No default script for rotating logs• Leverage logadm(1M) for rotation? Possible...• Run a new script audit_turn once per week> crontab -l root

05 02 * * 0 /etc/security/audit_turn


audit_turn (I)#!/bin/sh

/usr/sbin/audit -n/usr/bin/sleep 1

data_dir=`/usr/bin/grep '^[0-9]*:' /etc/security/audit_data | \ /usr/bin/sed 's/.*://' | \ /usr/bin/sed 's/\/[^\/]*$//'`for dir in ${data_dir} /var/audit; do if [ -d ${dir} -a -w ${dir} ]; then break; fidonecurrent=`/usr/bin/grep '^[0-9]*:' /etc/security/audit_data | \ /usr/bin/sed 's/.*:.*\///'`

...


audit_turn (II)...chdir ${dir}

/usr/sbin/auditreduce -O `/usr/bin/hostname` `ls -1 [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9].not_terminated.\`/usr/bin/hostname\` | grep -v ${current}`

rm -f dummy `ls -1 [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9].not_terminated.\`/usr/bin/hostname\` | grep -v ${current}`

rm -f dummy `ls -1t [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9].[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9].\`/usr/bin/hostname\` | sed -e 1,9d`

rm -f dummy `ls -1t [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9].startup.\`/usr/bin/hostname\` | sed -e 1,3d`

rm -f dummy `ls -1t [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9].smf.\`/usr/bin/hostname\` | sed -e 1,3d`


Analyzing the audit trail• auditreduce(1M) – Select specific time intervals,

audit ids, user ids, event classes, etc.• praudit(1M) – Translate the binary audit log into

user readable records> -x: XML format, see /usr/share/lib/xml/dtd/adt_record.dtd.1 and/usr/share/lib/xml/style/adt_record.xsl.1

• Audit record (binary) files in /var/audit:> YYYYMMDDHHMMSS.YYYYMMDDHHMMSS.hostname


Select specific trails• auditreduce -c lo -O lo.summary

> Select only login/logout (“lo”) events from audit records• auditreduce -m 113

> Select specific event (113 = “system booted”)• auditreduce -e user1 -u user1

> Select records for effective uid “user1” which is also the audit id “user1”

• auditreduce -z zonename

> Select records for specified zone• Check out manual page for auditreduce(1M) for

more selection options


What all records have in common• See audit.log(4)• Header token> Names event

• Subject token> No rule without exception: prom, system boot (“na”)

• Return token> Captures exit value

• Trailer token (optional)> Controlled by “auditconfig -setpolicy +trail”


Example audit recordheader,208,2,cron-invoke,,host name,2009-04-26 02:13:00.138 -07:00subject,user1,root,root,root,root,9241,3255852094,8818 196630 XXX.Sun.COMtext,crontab-jobtext,commandreturn,success,0zone,zone name

<record version="2" event="cron-invoke" host="host name" iso8601="2009-04-26 02:13:00.138 -07:00">

<subject audit-uid="user1" uid="root" gid="root" ruid="root" rgid="root" pid="9241" sid="3255852094" tid="8818 196630 XXX.Sun.COM"/>

<text>crontab-job</text> <text>command</text> <return errval="success" retval="0"/> <zone name="zone name"/></record>


Header token• Format:> Token id (“header”)> Byte length of record (including “header” and “trailer”)> Version of audit record structure (“2” for Sol10)> Audit event type (see “bsmrecord(1M)”)> Event modifier for ancillary description> Machine address (IPv4,IPv6)> Date and time (down to nanoseconds)


Subject token• Format:> Token id (“subject”)> Audit id> Effective user id, effective group id> Real user id, real group id

– If unavailable: “-1”> Process id (PID)> Audit session id (SID)

– If unavailable: “-1”> Terminal id (TID)

– Either Machine id: Port + IP type + IP address– Or Device id: device number


Text token• Format:> Token id (“text”)> Text length> Text string


Return token• Format:> Token id (“return”)> Error status

– String, e.g. “success”, “failure: Invalid argument”> Return value

– Numeric, e.g. “0” (all okay), “-1” (error)


Trailer token• Format:> Token id (“trailer”)> magic number

– Aids marking the end of the record– Will not be displayed using “praudit”

> Byte length of record (including “header” and “trailer”)


Auditing and profiles• Audit Control – Enables a role to configure Solaris

auditing> Allows running: audit, auditd, auditconfig, bsmconv, and bsmunconv

• Audit Review – Enables a role to analyze Solaris audit records> Allows running: praudit, auditreduce, auditstat


Auditing and zones• Recommended: global zone for auditing> Cannot be disabled from local zone> In /etc/security/audit_startup/usr/sbin/auditconfig -setpolicy +zonename

• Auditing in the local zone> Requires running auditd in local zone# svcadm enable svc:/system/auditd

> Uses per zone configuration from /etc/security/audit_*

> In each /etc/security/audit_startup/usr/sbin/auditconfig -setpolicy +perzone


Zone token• Format:> Token id (“zone”)> Zone name

– Zone name as is /etc/zones/*.xml, or “global”


Auditing and syslog• audit_syslog(5) allows sending audit data to

syslog• Data is generated in the text format, representing

individual tokens, max. 1024 characters• No “argv” or “arge” records! • Messages are recorded in audit.notice• Enabled in /etc/security/audit_control

> plugin: name=audit_syslog.so;p_flags=lo,+ad;qsize=512

• Beware! Uses UDP for sending, and syslog time stamp

64

Logging, Accounting, Auditing in Solaris 10Dr. Ruediger [email protected]

64

48283793-solaris10LogAcctAudit

Documents

Transcript of 48283793-solaris10LogAcctAudit