Logging, Accounting,

Auditing in Solaris 10
Dr. Ruediger Riediger
SunCERT / IT Security Monitoring
Sun Microsystems GmbH

1
Logging

© 2009, Sun Microsystems Inc. 2

System Log - syslogd(1M)
• System service: svc:/system/system-log
• Reads from the STREAMS log driver /dev/log
• Optional listens on 514/udp
> Default: off
> Deprecated: LOG_FROM_REMOTE in /etc/default/syslogd
> Check status:
# svccfg -vs svc:/system/system-log listprop
config/log_from_remote

• Configuration file /etc/syslog.conf

• Format:
> time host process: [ID msgid facility.priority] message
© 2009, Sun Microsystems Inc. 3
Facilities and severity
facility severity • Log to console
user emerg
> /dev/sysmsg
kern alert
mail crit • Log into file
daemon err > /var/adm/messages
auth warning
lpr notice • Post to (logged in)
news info users
uucp debug > *, root
cron [none]
audit • Send via udp (e.g. to
local0-7 LOGHOST)
mark > @loghost

© 2009, Sun Microsystems Inc. 4

Simple log integrity/heartbeat
• Syslog allows mark (timestamp) message in log file
> Writes to mark.info
> Default: every 20 minutes
• Format:
> time host -- MARK --
• Detect gaps in log file

© 2009, Sun Microsystems Inc. 5

Non-Syslog log files
• /var/adm/sulog – text log for su(1M)
• /var/adm/loginlog – failed logins via login(1)
• /var/cron/log – text log for cron(1M)
• /var/svc/log/*.log – service management logs
• /var/fm/fmd/{err,flt}log – fault management
binary logs, review via fmdump(1M)
• /var/log/xferlog – in.ftpd(1M) access log
• /var/{apache,apache2}/logs/*_log –
apache(1M) web server log files

© 2009, Sun Microsystems Inc. 6

Log Rotation - logadm(1M)
• Cron driven log rotation tool
> 10 3 * * * /usr/sbin/logadm

• Configuration file /etc/logadm.conf

• Good for all endlessly growing log files, text and
binary
• Supported options:
> Rotate on size or time period
> Execute command before, during, or after rotation
> Compress, rename, or purge rotated files

© 2009, Sun Microsystems Inc. 7

Log file management
• Use NTP to ensure correct time stamps
• Group logs according to sources (facilities)
> auth → /var/log/authlog
> daemon → /var/log/daemonlog
> user → /var/log/userlog
• Use your record retention policy to determine log
rotation
> If in question: rotate daily and keep for 30 days
'/var/log/{auth,user,daemon,sys}log' -a 'kill -HUP
`cat /var/run/syslog.pid`' -p 1d -A 30d -z 1

© 2009, Sun Microsystems Inc. 8

Logging failed logins to loginlog
• login(1) logs failed login attempts, but not per
default:
> Check out loginlog(4), and create the loginlog file
– # touch /var/adm/loginlog
– # chmod 600 /var/adm/loginlog
– # chgrp sys /var/adm/loginlog
> Will per default only report 5 successive failed login
attempts
• Configurable in /etc/default/login, but cannot log
every failed attempt
> RETRIES=1 … 15

© 2009, Sun Microsystems Inc. 9

Logging failed logins to syslog
• Use syslog: configure policy in /etc/default/login
> Reports to auth.notice & auth.crit
> SYSLOG=YES
> SYSLOG_FAILED_LOGINS=0
records every failed login... but
> requires: RETRIES=1
– Also affects account locking
– Defines “grace” attempts, not counting as invalid
Confusing documentation!
> Does not record non-existing user names (ever typed
your password as user name?)

© 2009, Sun Microsystems Inc. 10

Logging failed ssh logins
• Nothing to do – works out of the box
• Check configuration in /etc/ssh/sshd_config
> SyslogFacility auth
> LogLevel info

© 2009, Sun Microsystems Inc. 11

Best Practices
• Forward to secure logging server, e.g. from local
zone into global zone
> Define “loghost” as global zone IP on local zone
> Allow global zone syslogd to receive messages
• Review file permissions
> Writable & readable only by the owner
> Prevents unprivileged users to change or peruse log files
• Include log files in backup

© 2009, Sun Microsystems Inc. 12

Review Log files
• Establish a baseline of expected events and
escalate exceptions if required
• Use a host-based IDS to detect abnormal behavior

© 2009, Sun Microsystems Inc. 13

Accounting

© 2009, Sun Microsystems Inc. 14

last(1) - login and logout information
• Based on /var/adm/wtmpx
• Always use “last -a” to prevent incomplete host
names
• Format:
> user tty from until (duration) host
• Includes reboot information (user: reboot)
• Requires full wtmpx
> Beware of log rotation caused by accounting (through
runacct(1m))!

© 2009, Sun Microsystems Inc. 15

Example: last
user1 console Mon Apr 27 12:24 - 13:42 (1+01:17) :0
user1 pts/2 Mon Apr 27 07:43 - 04:03 (20:20) XXX.sun.com
user1 sshd Mon Apr 27 07:43 - 07:43 (00:00) XXX.sun.com
user2 pts/1 Mon Apr 27 05:06 - 10:04 (04:58) YYY.sun.com
user2 sshd Mon Apr 27 05:06 - 07:43 (02:37) YYY.sun.com
reboot system boot Mon Apr 27 05:05
reboot system down Mon Apr 27 05:05
user2 pts/1 Mon Apr 27 04:59 - down (00:05) YYY.sun.com
user2 sshd Mon Apr 27 04:59 - 05:04 (00:05) YYY.sun.com

© 2009, Sun Microsystems Inc. 16

(Legacy) Accounting data
• Utilities in /usr/lib/acct/*
• Connect time accounting recorded in
/var/adm/wtmpx
> Entries written by various programs
> acctcon(1M) processes these records
• Process accounting recorded in /var/adm/pacct
> Entries written by kernel on process termination
> acctcom(1) processes these records
> Only ps(1) will show running processes

© 2009, Sun Microsystems Inc. 17

Enable (Legacy) System Accounting
• Required packages: SUNWaccr, SUNWaccu
• Install startup/shutdown scripts
> /etc/init.d/acct → /etc/rc2.d/S22acct,
/etc/rc0.d/K22acct
> Start: /usr/lib/acct/startup
> Stop: /usr/lib/acct/shutacct
• Prime/Nonprime configuration: /etc/acct/holidays
> '*' are comments
> First line sets current year and starting times
> Successive lines define holidays (only date is used)
> Must be updated every year
© 2009, Sun Microsystems Inc. 18
Maintaining Accounting Data
• User: adm
> Every hour: /usr/lib/acct/ckpacct
periodically check the size of /var/adm/pacct
> Daily: /usr/lib/acct/runacct
nightly accounting, reports in /var/adm/acct/nite/*,
summary in /var/adm/acct/sum/*
> Monthly: /usr/lib/acct/monacct
monthly summary, reports in /var/adm/acct/fiscal/
*
• Administrator (root) only:
> Weekly: /usr/lib/acct/dodisk
required for disk accounting
© 2009, Sun Microsystems Inc. 19
Example crontabs
• crontab -l adm
00 * * * * /usr/lib/acct/ckpacct
30 2 * * * /usr/lib/acct/runacct 2>
/var/adm/acct/nite/fd2log
30 7 1 * * /usr/lib/acct/monacct

• crontab -l root
30 22 * * 4 /usr/lib/acct/dodisk

© 2009, Sun Microsystems Inc. 20

Accounting reports
• Last Login Date: /var/adm/acct/sum/loginlog
> Daily generated by /usr/lib/acct/lastlogin
• Monthly reports: /var/adm/acct/fiscal/*
> Total Command Summary: cmsMM
> Total Accounting Summary: tacctMM
> Readable report: fiscrptMM
• Daily reports: /var/adm/acct/sum/*
> Accumulated Command Summary: cms
> Daily Accounting: tacctMMDD
> Readable report: rptMMDD

© 2009, Sun Microsystems Inc. 21

Example: acctcom
COMMAND START END REAL CPU
MEAN
NAME USER TTYNAME TIME TIME (SECS) (SECS)
SIZE(K)
less root pts/6 14:35:59 14:38:51 172.56 0.01
1680.00
sh root pts/6 14:35:59 14:38:51 172.56 0.01
2392.00
man root pts/6 14:35:59 14:38:51 172.64 0.01
4336.00
tcsh root pts/6 14:38:55 14:38:55 0.01 0.01
1976.00
#sendmail root ? 13:19:09 13:19:09 0.23 0.02
6644.00
sendmail user1 ? 13:19:09 13:19:09 0.54 0.05
5116.80
#identd nobody ? 13:19:09 13:19:09 0.02 0.01
2264.00
#sendmail root ? 13:19:09 13:19:10 1.09 0.01
8280.00
#sendmail root ? 13:21:07 13:21:07 0.01 0.01
1120.00 © 2009, Sun Microsystems Inc. 22
Example: prtacct
LOGIN CPU (MINS) KCORE-MINS CONNECT (MINS) DISK # OF # OF # DISK FEE

UID NAME PRIME NPRIME PRIME NPRIME PRIME NPRIME BLOCKS PROCS SESS SAMPLES

0 TOTAL 0 192 0 16284682 0 27386 68887728 20380 195 32 0

0 root 0 14 0 448891 0 0 31808798 3337 0 2 0

1 daemon 0 0 0 0 0 0 24 0 0 2 0

2 bin 0 0 0 0 0 0 756 0 0 2 0

4 adm 0 0 0 9 0 0 3878 630 0 2 0

5 uucp 0 0 0 0 0 0 3416 0 0 2 0

25 smmsp 0 0 0 3 0 0 8 151 0 2 0

50 gdm 0 0 0 0 0 0 4 0 0 2 0

© 2009, Sun Microsystems Inc. 23

Example: acctcms
TOTAL COMMAND SUMMARY

COMMAND NUMBER TOTAL TOTAL TOTAL MEAN MEAN HOG CHARS BLOCKS

NAME CMDS KCOREMIN CPU-MIN REAL-MIN SIZE-K CPU-MIN FACTOR TRNSFD READ

TOTALS 20380 16290228.00 192.25 14797.36 84735.67 0.01 0.01 40018702336 385812

firefox- 5 7188422.00 99.63 747.83 72149.49 19.93 0.13 8701902848 35107

soffice. 6 4616230.50 29.55 559.39 156209.69 4.93 0.05 2946649856 25335

thunderb 8 3924068.00 26.44 1536.49 148430.91 3.30 0.02 5315326464 10199

spamd 7 443109.12 12.29 3656.69 36050.53 1.76 0.00 3060531200 160792

imapd-20 464 24877.94 2.71 4118.54 9180.62 0.01 0.00 5853976576 42724

sshd 22 18831.21 9.02 46.90 2088.37 0.41 0.19 3069317376 339

© 2009, Sun Microsystems Inc. 24

Troubleshooting
• Date changes
> wtmpfix(1M) utility adjusts time stamps based on date
change records in wtmpx
• Corrupted wtmpx
> fwtmp(1M) converts wtmpx files into ASCII (for editing),
“fwtmp -ic” converts it back
• Corrupted tacct
> acctmerg(1M) converts tacct files into ASCII (for
editing), “acctmerg -i” converts it back
> Merge with tacct.prev for consistency

© 2009, Sun Microsystems Inc. 25

Troubleshooting
• File size limit
> Some accounting binaries are not large-file aware
> /var/adm/pacct with ~2GB in size might cause trouble
> This should not happen if ckpacct(1M) is not run
regularly (which would run “turnacct switch”)
> Manually run runacct(1M)
• runacct failures
> Review /var/adm/acct/nite/activeMMDD
> Remove .../nite/lastdate, .../nite/lock*
> “runacct MMDD” as user adm to rerun for a specific date

© 2009, Sun Microsystems Inc. 26

Extended Accounting data
• New in Solaris 10, part of Resource Manager
• Based on Projects
> Labels usage records with the project they belong to
• Process accounting recorded in
/var/adm/exacct/proc
• Task accounting recorded in
/var/adm/exacct/task
• Flow accounting recorded in
/var/adm/exacct/flow
• Records are accessed through libexacct(3LIB)
© 2009, Sun Microsystems Inc. 27
Enable Extended System Accounting
• Part of core Solaris installation
• Create /etc/acctadm.conf
> # acctadm -e extended -f /var/adm/exacct/proc process
> # acctadm -e extended,mstate -f /var/adm/exacct/task task
> # acctadm -e extended -f /var/adm/exacct/flow flow

• Install startup/shutdown scripts

> /etc/init.d/acctadm → /etc/rc2.d/S22acctadm,
/etc/rc0.d/K22acctadm
> Runs /usr/sbin/acctadm -u
> Actually doesn't do anything on shutdown
• Can run in parallel with legacy accounting
© 2009, Sun Microsystems Inc. 28
Printing exacct records: dumpexacct
#!/usr/bin/perl
use strict;
use warnings;
use Sun::Solaris::Exacct qw(:EXACCT_ALL);

die("Usage is dumpexacct <exacct file>\n") unless (@ARGV == 1);

# Open the exact file and display the header information.

my $ef = ea_new_file($ARGV[0], &O_RDONLY) || die(error_str());
printf("Creator: %s\n", $ef->creator());
printf("Hostname: %s\n\n", $ef->hostname());

# Dump the file contents

while (my $obj = $ef->get()) {
ea_dump_object($obj);
}

# Report any errors

if (ea_error() != EXR_OK && ea_error() != EXR_EOF) {
printf("\nERROR: %s\n", ea_error_str());
exit(1);
}
exit(0);

© 2009, Sun Microsystems Inc. 29

lastcomm(1) - last commands
executed
• Works on records from legacy and extended
accounting
> lastcomm -f /var/adm/pacct
> lastcomm -f /var/adm/exacct/proc

• Lists terminated processes

© 2009, Sun Microsystems Inc. 30

Example: lastcomm
ls root pts/6 0.01 secs Wed May 6 14:28
mv S root pts/6 0.01 secs Wed May 6 14:28
tail root pts/6 0.01 secs Wed May 6 14:28
tcsh F root pts/6 0.00 secs Wed May 6 14:28
sendmail SF root __ 0.02 secs Wed May 6 14:27
identd S nobody __ 0.01 secs Wed May 6 14:27
sendmail user1 __ 0.05 secs Wed May 6 14:27
sendmail SF root __ 0.02 secs Wed May 6 14:27
sendmail F root __ 0.00 secs Wed May 6 14:27
identd S nobody __ 0.01 secs Wed May 6 14:27
sendmail SF root __ 0.02 secs Wed May 6 14:27
procmail S user1 __ 0.04 secs Wed May 6 14:27
procmail F user1 __ 0.00 secs Wed May 6 14:27
whatlist user1 __ 0.12 secs Wed May 6 14:27
procmail F user1 __ 0.00 secs Wed May 6 14:27

© 2009, Sun Microsystems Inc. 31

So what is useful, security wise?
• last(1):
/var/adm/wtmpx is valuable for login records
• lastcomm(1):
/var/adm/pacct or /var/adm/exacct/proc is
valuable for reviewing terminated processes
• Don't forget to rotate these logs:
> Legacy: “ckpacct” or “turnacct switch”
> Extended: “logadm” with
“-b 'acctadm -x process'
-a 'acctadm -e extended process'”

© 2009, Sun Microsystems Inc. 32

Caveats
• Legacy Accounting cycles /var/adm/wtmpx
• Records program file names (only) for accounting
> No path information
• Records effective user id ($>)
> Setuid: changes effective user id
> No information on real user id ($<)

© 2009, Sun Microsystems Inc. 33

Auditing

© 2009, Sun Microsystems Inc. 34

BSM – Basic Security Module
• C2 compliant Auditing [historic]
> provide system level audit trail
> audit the use of identification and authentication
mechanisms
> audit file access (open, close, read, write, create) and
program initiation
> audit file/object deletion
> audit administrative actions
• Solaris SunSHIELD
> Kernel Auditing, User-space hooks
> Device Allocation Mechanism
© 2009, Sun Microsystems Inc. 35
Why you need it?
• 80% of successful attacks originate on the inside of
a network – by authorized users
• Monitoring a system might show that root is editing
a system file. But who is root?
• Roles allow restrictions on access to privileged
accounts
• Auditing tracks real (login) and effective user id and
associates it with activity
• Caveat: what is expected behavior?
• Performance: yes, you will see impact
© 2009, Sun Microsystems Inc. 36
Resources
• Auditing Blueprint
http://www.sun.com/blueprints/0201/audit_config.pdf
• Solaris Security Toolkit (JASS)
http://www.sun.com/software/security/jass/
• System Administration Guide: Security Services
http://dlc.sun.com/pdf/816-4557/816-4557.pdf

© 2009, Sun Microsystems Inc. 37

How to enable?
• Configure /etc/security/audit_*
> /etc/security/audit_startup
> /etc/security/audit_control
> /etc/security/audit_user

• Change to “Single User” (system maintenance)

mode
• Enable and reboot
> # /usr/sbin/shutdown -i1
> # /etc/security/bsmconv
> # /usr/sbin/shutdown -i6

© 2009, Sun Microsystems Inc. 38

bsmconv(1M)
• Enables audit daemon: svc:/system/auditd
• Enables c2audit kernel module in /etc/system
• Disables volume manager:
svc:/system/filesystem/volfs
• Enables device allocation: mkdevalloc(1M)
• Recommended: disable keyboard abort (Stop-A)
> Was default for Solaris <10
> In /etc/default/kbd: KEYBOARD_ABORT=disable
> Make current: /usr/bin/kbd -i
> If left enabled, can be audited for
© 2009, Sun Microsystems Inc. 39
How does is work?
• Kernel loads c2audit module
• Through SMF:
> /etc/security/audit_startup is executed
> /usr/sbin/auditd is started
• Kernel selects events according to mask
> audit_control flags & audit_user
• Kernel sends events to auditd
• auditd records events
> configuration from audit_control

© 2009, Sun Microsystems Inc. 40

audit_startup(1M)
• Initializes the audit subsystem
/usr/bin/echo "Starting BSM services."
/usr/sbin/deallocate -Is
/usr/sbin/auditconfig -setpolicy +cnt
/usr/sbin/auditconfig -setpolicy +argv # or +argv,arge
/usr/sbin/auditconfig -conf
/usr/sbin/auditconfig -aconf

• Record current system status

control_dir=`/usr/bin/grep '^dir:' /etc/security/audit_control | \
/usr/bin/sed 's/.*://' | /usr/bin/tr -s ',' ' '`
for dir in ${control_dir} /var/audit; do
if [ -d ${dir} -a -w ${dir} ]; then break; fi
done
/usr/bin/ps -ef > ${dir}/`/usr/bin/date '+%Y%m%d%H%M%S'`.startup.`/usr/
bin/hostname`
/usr/bin/svcs -a > ${dir}/`/usr/bin/date '+%Y%m%d%H%M
%S'`.smf.`/usr/bin/hostname`

© 2009, Sun Microsystems Inc. 41

audit_control(4)
• Contains control information for system audit
daemon
dir:/var/audit/mp/hostname (e.g. mounted via NFS)
dir:/var/audit/hostname (e.g. local)
flags:lo,ad,am
minfree:20
naflags:lo,na,ad,am
• Make directory readable/writable for owner only
• If /var/audit is on a dedicated file system:
> # /usr/sbin/tunefs -m 0 /var/audit

© 2009, Sun Microsystems Inc. 42

audit_user(4)
• Stores per-user auditing preselection data
• E.g. use for all roles
root:lo,am,ex,cs,cf,vs:no
• Selection options: ex, +ex, -ex, ^ex

© 2009, Sun Microsystems Inc. 43

audit_class(4) and audit_event(4)
• Stores class definitions and maps events to classes
• Listing all events:
> # bsmrecord -ha > bsmrecord.html

• Allows custom classes in audit_class:

0x01000000:cs:custom audit events
0x02000000:cf:custom ancillary audit events
0x04000000:vs:virtualization_software
• Add cs,cf to selected events in audit_event:
10:AUE_CHMOD:chmod(2):fm,cf
11:AUE_CHOWN:chown(2):fm,cs
...

© 2009, Sun Microsystems Inc. 44

JASS suggestion for audit_event(4)
10:AUE_CHMOD:chmod(2):fm,cf
11:AUE_CHOWN:chown(2):fm,cs
24:AUE_CHROOT:chroot(2):pm,cs
38:AUE_FCHOWN:fchown(2):fm,cs
39:AUE_FCHMOD:fchmod(2):fm,cf
40:AUE_SETREUID:setreuid(2):pm,cs
69:AUE_FCHROOT:fchroot(2):pm,cs
200:AUE_SETUID:old setuid(2):pm,cs
203:AUE_NICE:old nice(2):pm,cs
212:AUE_PRIOCNTLSYS:priocntlsys(2):pm,cs
215:AUE_SETEUID:seteuid(2):pm,cs
237:AUE_LCHOWN:lchown(2):fm,cs
251:AUE_ACLSET:acl(2) - SETACL command:fm,cf
252:AUE_FACLSET:facl(2) - SETACL command:fm,cf
40700:AUE_ldoms:ldoms administration:vs

© 2009, Sun Microsystems Inc. 45

audit(1M)
• Communicates with auditd(1M)
• Always use audit(1M)
> “audit -s” – starts auditd or re-reads configuration
files
> “audit -n” – closes and opens log files

© 2009, Sun Microsystems Inc. 46

audit_warn(1M)
• Script to report all auditing warnings/errors
• Only called if audit_binfile.so.1 plugin is used
• Requires “audit_warn” email alias to be configured
in /etc/mail/aliases
> audit_warn: root
• Uses logger(1) to record to syslog daemon.alert
facility – make sure it is captured

© 2009, Sun Microsystems Inc. 47

Rotating audit logs?
• No default script for rotating logs
• Leverage logadm(1M) for rotation? Possible...
• Run a new script audit_turn once per week
> crontab -l root
05 02 * * 0 /etc/security/audit_turn

© 2009, Sun Microsystems Inc. 48

audit_turn (I)
#!/bin/sh

/usr/sbin/audit -n
/usr/bin/sleep 1

data_dir=`/usr/bin/grep '^[0-9]*:' /etc/security/audit_data | \

/usr/bin/sed 's/.*://' | \
/usr/bin/sed 's/\/[^\/]*$//'`
for dir in ${data_dir} /var/audit; do
if [ -d ${dir} -a -w ${dir} ]; then break; fi
done
current=`/usr/bin/grep '^[0-9]*:' /etc/security/audit_data | \
/usr/bin/sed 's/.*:.*\///'`

...

© 2009, Sun Microsystems Inc. 49

audit_turn (II)
...
chdir ${dir}

/usr/sbin/auditreduce -O `/usr/bin/hostname` `ls -1 [0-9][0-9][0-9][0-9][0-9][0-

9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9].not_terminated.\`/usr/bin/hostname\
` | grep -v ${current}`
rm -f dummy `ls -1 [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]
[0-9][0-9].not_terminated.\`/usr/bin/hostname\` | grep -v ${current}`

rm -f dummy `ls -1t [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]

[0-9][0-9].[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]
[0-9].\`/usr/bin/hostname\` | sed -e 1,9d`
rm -f dummy `ls -1t [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]
[0-9][0-9].startup.\`/usr/bin/hostname\` | sed -e 1,3d`
rm -f dummy `ls -1t [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]
[0-9][0-9].smf.\`/usr/bin/hostname\` | sed -e 1,3d`

© 2009, Sun Microsystems Inc. 50

Analyzing the audit trail
• auditreduce(1M) – Select specific time intervals,
audit ids, user ids, event classes, etc.
• praudit(1M) – Translate the binary audit log into
user readable records
> -x: XML format, see
/usr/share/lib/xml/dtd/adt_record.dtd.1 and
/usr/share/lib/xml/style/adt_record.xsl.1
• Audit record (binary) files in /var/audit:
> YYYYMMDDHHMMSS.YYYYMMDDHHMMSS.hostname

© 2009, Sun Microsystems Inc. 51

Select specific trails
• auditreduce -c lo -O lo.summary
> Select only login/logout (“lo”) events from audit records
• auditreduce -m 113
> Select specific event (113 = “system booted”)
• auditreduce -e user1 -u user1
> Select records for effective uid “user1” which is also the
audit id “user1”
• auditreduce -z zonename
> Select records for specified zone
• Check out manual page for auditreduce(1M) for
more selection options
© 2009, Sun Microsystems Inc. 52
What all records have in common
• See audit.log(4)
• Header token
> Names event
• Subject token
> No rule without exception: prom, system boot (“na”)
• Return token
> Captures exit value
• Trailer token (optional)
> Controlled by “auditconfig -setpolicy +trail”

© 2009, Sun Microsystems Inc. 53

Example audit record
header,208,2,cron-invoke,,host name,2009-04-26 02:13:00.138 -07:00
subject,user1,root,root,root,root,9241,3255852094,8818 196630 XXX.Sun.COM
text,crontab-job
text,command
return,success,0
zone,zone name

<record version="2" event="cron-invoke" host="host name" iso8601="2009-04-

26 02:13:00.138 -07:00">
<subject audit-uid="user1" uid="root" gid="root" ruid="root" rgid="root"
pid="9241" sid="3255852094" tid="8818 196630 XXX.Sun.COM"/>
<text>crontab-job</text>
<text>command</text>
<return errval="success" retval="0"/>
<zone name="zone name"/>
</record>

© 2009, Sun Microsystems Inc. 54

Header token
• Format:
> Token id (“header”)
> Byte length of record (including “header” and “trailer”)
> Version of audit record structure (“2” for Sol10)
> Audit event type (see “bsmrecord(1M)”)
> Event modifier for ancillary description
> Machine address (IPv4,IPv6)
> Date and time (down to nanoseconds)

© 2009, Sun Microsystems Inc. 55

Subject token
• Format:
> Token id (“subject”)
> Audit id
> Effective user id, effective group id
> Real user id, real group id
– If unavailable: “-1”
> Process id (PID)
> Audit session id (SID)
– If unavailable: “-1”
> Terminal id (TID)
– Either Machine id: Port + IP type + IP address
– Or Device id: device number
© 2009, Sun Microsystems Inc. 56
Text token
• Format:
> Token id (“text”)
> Text length
> Text string

© 2009, Sun Microsystems Inc. 57

Return token
• Format:
> Token id (“return”)
> Error status
– String, e.g. “success”, “failure: Invalid argument”
> Return value
– Numeric, e.g. “0” (all okay), “-1” (error)

© 2009, Sun Microsystems Inc. 58

Trailer token
• Format:
> Token id (“trailer”)
> magic number
– Aids marking the end of the record
– Will not be displayed using “praudit”
> Byte length of record (including “header” and “trailer”)

© 2009, Sun Microsystems Inc. 59

Auditing and profiles
• Audit Control – Enables a role to configure Solaris
auditing
> Allows running: audit, auditd, auditconfig,
bsmconv, and bsmunconv
• Audit Review – Enables a role to analyze Solaris
audit records
> Allows running: praudit, auditreduce, auditstat

© 2009, Sun Microsystems Inc. 60

Auditing and zones
• Recommended: global zone for auditing
> Cannot be disabled from local zone
> In /etc/security/audit_startup
/usr/sbin/auditconfig -setpolicy +zonename
• Auditing in the local zone
> Requires running auditd in local zone
# svcadm enable svc:/system/auditd
> Uses per zone configuration from
/etc/security/audit_*
> In each /etc/security/audit_startup
/usr/sbin/auditconfig -setpolicy +perzone

© 2009, Sun Microsystems Inc. 61

Zone token
• Format:
> Token id (“zone”)
> Zone name
– Zone name as is /etc/zones/*.xml, or “global”

© 2009, Sun Microsystems Inc. 62

Auditing and syslog
• audit_syslog(5) allows sending audit data to
syslog
• Data is generated in the text format, representing
individual tokens, max. 1024 characters
• No “argv” or “arge” records!
• Messages are recorded in audit.notice
• Enabled in /etc/security/audit_control
> plugin: name=audit_syslog.so;p_flags=lo,
+ad;qsize=512

• Beware! Uses UDP for sending, and syslog time

stamp
© 2009, Sun Microsystems Inc. 63
Logging, Accounting,
Auditing in Solaris 10
Dr. Ruediger Riediger
ruediger.riediger@sun.com

64