Showing posts with label solaris audit. Show all posts
Showing posts with label solaris audit. Show all posts

Solved: How to enable auditing of zones from Global Zone in a Solaris10 Server

Auditing is a good way to keep logs of all the activities happening in your Solaris server. In this post we will see how to enable auditing of both global and local zones and store the logs of all in a single file in global zone.

1) In the global zone create a new FS of 20GB and mount it.

mkdir /var/audit/gaudit
mount /dev/md/dsk/d100 /var/audit/gaudit
chmod -R 750 /var/audit/gaudit

2) Modify /etc/security/audit_control and add "lo,ex" before flags and naflags as below.

vi audit_control
# Copyright (c) 1988 by Sun Microsystems, Inc.
# ident "@(#)audit_control.txt 1.4 00/07/17 SMI"

3) Modify /etc/security/audit_startup and add +argv and +zonename entries as described below. This entry will create audit logs for all zones in /var/audit/gaudit .

vi audit_startup
#! /bin/sh
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# ident "@(#)audit_startup.txt 1.1 04/06/04 SMI"

/usr/bin/echo "Starting BSM services."
/usr/sbin/auditconfig -setpolicy +cnt
/usr/sbin/auditconfig -conf
/usr/sbin/auditconfig -aconf
/usr/sbin/auditconfig -setpolicy +argv
/usr/sbin/auditconfig -setpolicy +zonename

4) Copy audit_control file to /etc/security of each zone or loopback mount them in each zone.

5) Once all the zones are configured enable the audit service by running /etc/security/bsmconv. This will require reboot of system.

6) Check audit logs in /var/audit/gaudit using

auditreduce 20170709091522.not_terminated.solaris1 | praudit

7) For checking logs of a specific zone follow below

root@solaris1 # auditreduce -z zone1 20170709091522.not_terminated.solaris1 | praudit
file,2017-07-09 16:26:00.000 +02:00,
header,160,2,execve(2),,solaris1,2017-07-09 16:26:00.697 +02:00
subject,root,root,root,root,root,2164,2187,0 0
file,2017-07-09 16:26:00.000 +02:00,
root@solaris1 #