sun.com   |  docs.sun.com
How To Buy  |  My Sun  |  Worldwide Sites
         
 
Sun Microsystems Logo
 Products and Services
 		 Support and Training
 
 
System Administration Guide: Security Services >> 22.  Managing the BSM Service (Tasks) >> Configuring Audit Files (Task Map) >> How to Add Audit Events 

Previous Previous     Contents     Index     Next Next

Example--Adding a New Audit Event

This example shows an entry that defines a new audit event for a local application.

# grep localapp /etc/security/audit_event
32768:AUE_localapp:localapp(1):ta

Configuring the Auditing Service (Task Map)

This section covers the tasks that are required to configure and enable the auditing service. The following task map describes the tasks that are required to configure the auditing service.

Task

Description

For Instructions

1. (Optional) Change the audit configuration files

Selects which events, classes, and users require auditing.

Configuring Audit Files (Task Map)

2. Create audit partitions

Creates the partitions for the audit files.

How to Create Partitions for Auditing

3. Create the audit_warn alias

Defines who should get email warnings.

How to Configure the audit_warn Alias

4. (Optional) Change audit policies

Defines additional audit records or auditing conditions.

How to Enable or Disable an Audit Policy

5. Enable auditing

Turns on auditing.

How to Enable Auditing

6. (Optional) Disable auditing

Turns off auditing.

How to Disable Auditing

7. (Optional) Start device allocation

Selects which removable media should be accessed in a more secure mode.

Managing Device Allocation (Tasks)

ProcedureHow to Create Partitions for Auditing

The following procedure shows how to create partitions for audit files, as well as the corresponding file systems and directories. Skip steps as necessary, depending on if you already have an empty partition, or if you have already mounted an empty file system.

  1. Become superuser or assume an equivalent role.

  2. Determine the amount of disk space that is required.

    Assign at least 200 Mbytes of disk space per host. However, the disk space requirements are based on how much auditing you perform. So, your requirements might be far greater than this figure. Remember to include a partition for a directory of last resort.

  3. Create dedicated audit partitions, as needed.

    This step is most easily done during server installation. You can also create the partitions on disks that have not yet been mounted on the server. For complete instructions on how to create the partitions, see "Creating a UFS File System" in System Administration Guide: Basic Administration.

    # newfs /dev/rdsk/cwtxdysz

    where /dev/rdsk/cwtxdysz is the raw device name for the partition.

    If the local host is to be audited, create an audit directory of last resort for the local host as well.

  4. Create mount points for each new partition.

    # mkdir /var/audit/server-name.n

    Where server-name.n is the name of the server plus a number that identifies each partition. The number is optional, but the number is useful when there are many audit directories.

  5. Add entries to automatically mount the new partitions.

    Add a line to the /etc/vfstab file that resembles the following:

    /dev/dsk/cwtxdysz /dev/rdsk/cwtxdysz /var/audit/server-name.n   ufs  2  yes

  6. (Optional) Remove the minimum free space threshold on each partition.

    If you use the default configuration, a warning is generated when the directory is 80 percent full. The warning removes the reason to reserve free space on the partition.

    # tunefs -m 0 /var/audit/server-name.n

  7. Mount the new audit partitions.

    # mount /var/audit/server-name.n

  8. Create audit directories on the new partitions.

    # mkdir /var/audit/server-name.n/files

  9. Correct the permissions on the mount points and new directories.

    # chmod -R 750 /var/audit/server-name.n/files

  10. (Optional) On a file server, define the file systems to be made available to other hosts.

    Often, disk farms are installed to store the audit records. If an audit directory is to be used by several systems, then the directory must be shared through the NFS service. Add an entry that resembles the following for each directory to the /etc/dfs/dfstab file.

    share -F nfs /var/audit/server-name.n/files

  11. (Optional) On a file server, restart the NFS service.

    If this command is the first share command or set of share commands that you have initiated, the NFS daemons are probably not running. The following commands kill the daemons and restart the daemons. Refer to "Setting Up NFS Services" in System Administration Guide: Resource Management and Network Services for more information about the NFS service.

    # /etc/init.d/nfs.server stop
# /etc/init.d/nfs.server start

Example--Creating an Audit Directory of Last Resort

All systems that run the auditing subsystem should have a local file system that can be used if no other file system is available. In this example, a file system is being added to a system that is named egret. Since this file system is only used locally, none of the steps for a file server are followed.

# newfs /dev/rdsk/c0t2d0
# mkdir /var/audit/egret
# grep egret /etc/vfstab
/dev/dsk/c0t2d0s1  /dev/rdsk/c0t2d0s1  /var/audit/egret ufs  2  yes  -
# tunefs -m 0 /var/audit/egret
# mount /var/audit/egret
# mkdir /var/audit/egret/files
# chmod -R 750 /var/audit/egret/files

Example--Creating New Audit Partitions

In this example, a new file system is created on two new disks that are to be used by other systems in the network.

# newfs /dev/rdsk/c0t2d0
# newfs /dev/rdsk/c0t2d1
# mkdir /var/audit/egret.1
# mkdir /var/audit/egret.2
# grep egret /etc/vfstab
/dev/dsk/c0t2d0s1  /dev/rdsk/c0t2d0s1  /var/audit/egret.1 ufs  2  yes  -
/dev/dsk/c0t2d1s1  /dev/rdsk/c0t2d1s1  /var/audit/egret.2 ufs  2  yes  -
# tunefs -m 0 /var/audit/egret.1
# tunefs -m 0 /var/audit/egret.2
# mount /var/audit/egret.1
# mount /var/audit/egret.2
# mkdir /var/audit/egret.1/files
# mkdir /var/audit/egret.2/files
# chmod -R 750 /var/audit/egret.1/files /var/audit/egret.2/files
# grep egret /etc/dfs/dfstab
 share -F nfs /var/audit/egret.1/files
 share -F nfs /var/audit/egret.2/files
# /etc/init.d/nfs.server stop
# /etc/init.d/nfs.server start

ProcedureHow to Configure the audit_warn Alias

The audit_warn script generates mail to an alias that is called audit_warn. To send this mail to a valid email address, you can follow either of the following options:

  1. Become superuser or assume an equivalent role.

  2. Configure the audit_warn mail alias.

    OPTION 1 -

    Replace the audit_warn alias with another mail account in the audit_warn script.

    After you replace audit_warn with the root account, the line that sends the email message would resemble the following:

    /usr/ucb/mail -s "$SUBJECT" root

    Ten lines in the audit_warn script require this change.

    OPTION 2 -

    Redirect the audit_warn email to another mail account.

    In this case, you would add the audit_warn alias to the appropriate mail aliases file. You could add the alias to the local /etc/mail/aliases file or to the mail_aliases database in the name space. The new entry would resemble the following if the root mail account was made a member of the audit_warn alias:

    audit_warn: root

Previous Previous     Contents     Index     Next Next
 
Copyright 1994-2003 Sun Microsystems