User's Manual
Solaris 9 Security CX-310-301 30
¾ /etc/security/audit_user – Provides more detailed control allowing specific users and actions to be
audited
¾ /etc/security/audit_event – Defines the events that can occur
¾ /etc/security/audit_class – Groups events into classes for easier management
¾ /etc/security/audit_data – Contains the current pid for the auditing daemon and the full pathname
for the current audit log file
The file /etc/security/audit_startup is read when the daemon process is started and sets general policy
values. One such value is:
auditconfig –setpolicy +cnt
which instructs the audit daemon to drop records if resources are exhausted (such as running out of disk
space). This is preferably to processes being suspended instead.
Here’s an example of a single class entry in /etc/security/audit_class
0x00001000:lo:login or logout
and below is the relevant contents of the /etc/security/audit_event file that relates to the lo class specified
above. You can see how the grouping of events into a class makes it easier to audit specific types of
information:
6152:AUE_login:login - local:lo
6153:AUE_logout:logout:lo
6154:AUE_telnet:login - telnet:lo
6155:AUE_rlogin:login - rlogin:lo
6158:AUE_rshd:rsh access:lo
6159:AUE_su:su:lo
6162:AUE_rexecd:rexecd:lo
6163:AUE_passwd:passwd:lo
6164:AUE_rexd:rexd:lo
6165:AUE_ftpd:ftp access:lo
6171:AUE_ftpd_logout:ftp logout:lo
6172:AUE_ssh:login - ssh:lo
6173:AUE_role_login:role login:lo
6212:AUE_newgrp_login:newgrp login:lo
6213:AUE_admin_authenticate:admin login:lo
Enabling BSM
There are three steps in enabling the auditing facility:
¾ Run the utility /etc/security/bsmconv
¾ Edit the /etc/security/audit_startup file, if required (this file is only created when you run
bsmconv)