sun.com   |  docs.sun.com
How To Buy  |  My Sun  |  Worldwide Sites
         
 
Sun Microsystems Logo
 Products and Services
 		 Support and Training
 
 
System Administration Guide: Security Services 

Previous Previous     Contents     Index     Next Next
Chapter 22

Managing the BSM Service (Tasks)

This chapter presents procedures that are designed to help you set up and manage a Solaris environment that includes auditing. This chapter also includes instructions for administering the audit trail and for administering device allocation. The following is a list of the task maps in this chapter.

For an overview of auditing, see Chapter 20, BSM (Overview). For planning suggestions, see Chapter 21, Audit Planning.

Managing the BSM Service (Task Map)

The following task map shows the major tasks that are required to administer the BSM service.

Task

Description

For Instructions

Plan for auditing

Configuration issues to consider and make decisions about, before you configure auditing.

Chapter 21, Audit Planning

Configure audit files

Defines which events, classes, and users require auditing.

Configuring Audit Files (Task Map)

Configure auditing

Configures each host so that you can use auditing.

Configuring the Auditing Service (Task Map)

Manage audit records

Merges and analyzes the audit data.

Managing Audit Records (Task Map)

Manage device allocation

Defines which devices should be accessed through the device allocation mechanism.

Managing Device Allocation (Tasks)

Configuring Audit Files (Task Map)

Before you enable auditing on your network, you might want to edit the audit configuration files. Many of the following procedures require you to restart the service or reboot the local system. You should make as many of these changes as possible before you start the service.

The following task map describes the tasks in this section.

Task

Description

For Instructions

Select audit flags, change audit_control settings

Preselects the events are being to be audited. Changes preset values in the audit_control file.

How to Select Audit Flags

Change audit characteristics for users

Sets user-specific exceptions to the system-wide audit flag settings.

How to Change Users' Audit Characteristics

Add audit classes

Defines new audit classes.

How to Add Audit Classes

Change event-to-class mappings

Changes the class that certain events belong to

How to Change an Audit Event's Class Membership

Add audit events

Adds new user-level events to the audit_event file.

How to Add Audit Events

ProcedureHow to Select Audit Flags

Audit flags are defined in the /etc/security/audit_control file. The audit flags select which classes of audit records are written to the audit log.

  1. Become superuser or assume an equivalent role.

  2. (Optional) Save a backup copy of the audit_control file.

    # cp /etc/security/audit_control /etc/security/audit_control.save

  3. Add new entries to the audit_control file.

    Each entry has the following format:

    title:string

    title

    Defines the type of line. Options are dir:, flags:, minfree:, or naflags:.

    string

    Lists specific data that is associated with the line type.

  4. Instruct the audit daemon to read the new audit_control file.

    The audit daemon stores the information internally. To use the new information, either reboot the system or type the following command:

    # audit -s

Example--Changing the Location of the Audit Trail File

Lines that start with dir: define which audit file systems can be used to store audit trail files. In this example, two additional locations for audit trail files are defined.

# cat /etc/security/audit_control
dir:/etc/security/audit/host.1/files
dir:/etc/security/audit/host.2/files
dir:/var/audit
flags:
minfree:10
naflags:lo

Example--Changing Audit Flags for All Users

The flags line in the audit_control file defines which classes of events are audited for all users on the host. The classes are separated by commas, with no spaces. In this example, the events in the lo class are audited for all users.

# cat /etc/security/audit_control
dir:/var/audit
flags:lo
minfree:10
naflags:lo

Example--Changing the Soft Limit for Warnings

The minfree line in the audit_control file defines the minimum free-space level for all audit file systems. In this example, the soft limit is set so that a warning is issued when only 10 percent of the file system is available.

# cat /etc/security/audit_control
dir:/var/audit
flags:
minfree:10
naflags:lo

Example--Changing Auditing of Nonattributable Events

The naflags: line in the audit_control file defines which classes of nonattributable events are audited for all users on the host. The classes are separated by commas, with no spaces. In this example, the na event class was added.

# cat /etc/security/audit_control
dir:/var/audit
flags:
minfree:10
naflags:lo,na

ProcedureHow to Change Users' Audit Characteristics

Definitions for each user are stored in the /etc/security/audit_user file. These definitions are exceptions to the flags in the audit_control file.

  1. Become superuser or assume an equivalent role.

  2. (Optional) Save a backup copy of the audit_user file.

    # cp /etc/security/audit_user /etc/security/audit_user.save

  3. Add new entries to the audit_user file.

    Each entry has the following format:

    username:always:never

    username

    Selects the name of the user to be audited.

    always

    Selects the list of audit classes that should always be audited.

    never

    Selects the list of audit classes that should never be audited.

    You can specify multiple flags by separating the audit classes with commas. For more information about audit flags, see Audit Classes and Their Audit Flags.

  4. Make the new data available to the auditing daemon.

    To use the new data, you can reboot the system. You can also have the user log out and then log back in again.

Previous Previous     Contents     Index     Next Next
 
Copyright 1994-2003 Sun Microsystems