3 Replies Latest reply on Jan 23, 2020 10:29 AM by mel c

    Solaris 11.3 Auditing

    mel c

      Hi,

       

      We have setup auditing on our Solaris 11.3 host to, as a starting point, have an audit trail of failed login attempts to the host and to non-global zones on the host.

       

      The output of the following commands, are as follows

       

      auditconfig -getflags

      active user default audit flags = ss,lo(0x11000,0x11000)

      configured user default audit flags = ss,lo(0x11000,0x11000)

       

      auditconfig -getnaflags

      active non-attributable audit flags = lo,na(0x1400,0x1400)

      configured non-attributable audit flags = lo,na(0x1400,0x1400)

       

      auditconfig -getplugin audit_syslog

      Plugin: audit_syslog (active)

              Attributes: p_flags=lo,+as,-ss,na

       

      When i do a successful login to the host, it appears instantaneous in the auditlog file (in /var/adm).

      When I do an unsuccessful/failed login to the host, it only appears in the auditlog file (in /var/adm) after the session/window is closed.

       

      When I do a successful login into the zone, it appears instantaneous in the auditlog file (in /var/adm).

      When i do an unsuccessful/failed login into the zone, it doesn't appear in the auditlog file (in /var/adm) at all.

       

      How can i correct this behaviour to ensure that the failed/unsuccessful entries appear in the auditlog file.

       

      thanks

      Melvyn

       

       

        • 1. Re: Solaris 11.3 Auditing
          Darren Moffat-Oracle

          If you really are using 11.3 then you should not have 'ss' configured because that only existed once 11.4 was released.

           

          What are you using for logins ?

           

          The audit subsystem does not by default write to any file in /var/adm it writes to a binary audit trail that is stored in /var/audit and processed using auditreduce and praudit commands.

          So what file are you actually looking at ?

           

          Have you also configured /etc/syslog.conf to send the audit_syslog output to a file or another host ?

           

          --

          Darren J Moffat - Oracle Solaris Engineering

          • 2. Re: Solaris 11.3 Auditing
            mel c

            Hi Darren,

             

            We have two host, one running Solaris 11.3 and the other Solaris 11.4.  We accept that we probably ran the same "autoconfig -setflags" commands on both.

             

            What are you using for logins? We are connecting through PuTTY, logging in as whichever user (eg joesoap).

             

            As per "Managing Auditing in Oracle Solaris 11.3", Part No:E54781, April 2019, page 95-96

             

            How to Configure syslog Audit Logs

            You can instruct the audit service to copy some or all of the audit records in the audit queue

            to the syslog utility. If you record both binary audit data and text summaries, the binary data

            provide a complete audit record, while the summaries filter the data for real-time review.

            Before You Begin To configure the audit_syslog plugin, you must become an administrator who is assigned the

            Audit Configuration rights profile. To configure the syslog utility and create the auditlog file,

            you must assume the root role.

             

            1. Select audit classes to be sent to the audit_syslog plugin, and make the plugin

            active.

            Note - p_flags audit classes must be preselected as either system defaults or in the audit flags

            of a user or a rights profile. Records are not collected for a class that is not preselected.

            # auditconfig -setplugin audit_syslog \

            active p_flags=lo,+as,-ss

             

            2. Configure the syslog utility.

            a. Add an audit.notice entry to the syslog.conf file.

            The entry includes the location of the log file.

            # cat /etc/syslog.conf

            audit.notice /var/adm/auditlog

            b. Create the log file.

            # touch /var/adm/auditlog

            c. Set the log file's permissions to 640.

            # chmod 640 /var/adm/auditlog

            d. Check which system-log service instance is running on the system.

            # svcs system-log

            STATE STIME FMRI

            online Nov_27 svc:/system/system-log:default

            disabled Nov 27 svc:/system/system-log:rsyslog

            e. Refresh the configuration information for the active syslog service instance.

            # svcadm refresh system/system-log:default

             

            3. Refresh the audit service.

            The audit service reads the changes to the audit plugin upon refresh.

            # audit -s

             

            4. Regularly archive the syslog log files.

            The audit service can generate extensive output. To manage the logs, see the logadm(1M) man

            page.

             

            Example 29 Specifying Audit Classes for syslog Output

            In the following example, the syslog utility collects a subset of the preselected audit classes.

            The pf class is created in Example 15, “Creating a New Audit Class,” on page 61.

            # auditconfig -setnaflags lo,na

            # auditconfig -setflags lo,ss

            # usermod -K audit_flags=pf:no jdoe

            # auditconfig -setplugin audit_syslog \

            96 Managing Auditing in Oracle Solaris 11.3 • April 2019

            How to Configure syslog Audit Logs

            active p_flags=lo,+na,-ss,+pf

            • 3. Re: Solaris 11.3 Auditing
              mel c

              Does anybody have any suggestions as what to try next?