Oracle Solaris Audit Quick Start

by Gary Winiger

Published May 2013

How to collect data about security-related system events in Oracle Solaris 11 using auditing.

The auditing subsystem of Oracle Solaris provides a log of who did what when on the system. It is useful for accountability, forensics, compliance, and deterrence. It can be configured to record a very detailed log of what a user or administrator has done on the system.

This article describes the default configuration and major differences between Oracle Solaris 10 and Oracle Solaris 11 configuration. It also discusses some ways a site may wish to customize a configuration and gives an example interpretation of a simple audit trail.

Default Setup

Oracle Solaris is delivered preconfigured for basic auditing. No further action is required to enable it. All login, logout, su, password change, screen lock, and screen unlock operations will automatically be recorded to a file in /var/audit named by the system's host name.

Different from previous releases of Oracle Solaris, the Oracle Solaris 11 default configuration has no measurable performance impact; thus, there is no reason to disable it on performance grounds.

To review the /var/audit files, an administrator with the Audit Review rights profile runs the praudit(1M) command on a file or files in that directory. The auditreduce(1M) command may be used in conjunction with praudit to review selective audit records.

A description of audit records can be found by running the auditrecord(1M) command. Further details about each audit record component can be found in audit.log(4).

More detailed information can be found in the "Auditing in Oracle Solaris" section of the Oracle Solaris 11.1 Administration: Security Services manual.

Major Usability Changes to Auditing from Oracle Solaris 10

  • There is no longer a need to reboot in order to enable or disable auditing. The bsmconv(1M) and bsmunconv(1M) scripts are gone and have been replaced by audit(1M) -s and audit(1M) -t.
  • The audit_startup(1M) script is gone and has been replaced by auditconfig(1M) -setpolicy,-setqctrl.
  • The audit_control(4) file is gone and has been replaced by auditconfig(1M) -setflags,-setnaflags,-setplugin.
  • The audit_user(4) database is gone and has been replaced by usermod(1M) -K audit_flags=always-audit-flags:never-audit-flags.
  • If global zone only audit (the default) is configured, per-user audit_flags configuration within a non-global zone will not reduce the global zone default audit flags.
  • All general administrative functions are controlled by the audit-related rights profiles: Audit Configuration, Audit Control, and Audit Review.

Custom Configuration

Some sites may wish to have custom audit configuration. The following are some things that sites may wish to configure.

  • The default is to audit all zones to a central audit log in /var/audit of the global zone. Independent per-zone audit can be configured at any time.

    If this is done before the first zone boot, it is a one step process. As an administrator granted the Audit Configuration rights profile in the global zone, run:

    auditconfig(1M) -setpolicy +perzone

    If this is done after the zone is booted, a second step is required. From within the non-global zone, as an administrator granted the Audit Control rights profile, run:

    audit(1M) -s
  • To modify the default auditing, see audit_class(4) and audit_flags(5), and run:
    auditconfig(1M) -setflags

    For example, to add auditing of common administrative actions to the default auditing, as an administrator granted the Audit Configuration rights profile, run auditconfig(1M) -getflags to observe the present default:

    auditconfig(1M) -setflags <present default>,cusa

    (The new flags take effect at the next user login or role assumption.)

  • To audit particular users (or roles) differently from the default, see audit_class(4) and audit_flags(5), and as an administrator granted the Rights Delegation rights profile, run:
    usermod(1M) -K audit_flags=always:never

    To observe a particular user's (or role's) custom audit flags, run:

    userattr(1) audit_flags <username>

Advanced Topics

More detailed information can be found in the "Auditing in Oracle Solaris" section of the Oracle Solaris 11.1 Administration: Security Services manual.

Site Customization

These are some additional things that sites may wish to customize.

  • The audit service alerts administrators to various anomalies in operation. The default action is to send e-mail to the audit_warn e-mail alias and to syslog, as daemon.alert, the anomaly. The audit_warn(1M) script may be customized to take other or additional actions.
  • The default mapping of audit events to classes in audit_event(4) may be customized by modifying the flags field.

    auditconfig(1M) -lsevent displays all the events and their current mappings. See audit_event(4).

  • The default set of audit classes may be added to by creating new class definitions using reserved "mask" values or by creating new "meta-classes" using existing mask definitions. New classes may be used to customize the default mappings noted above. See audit_class(4).

Policies to Consider

These are some audit policies that a site may wish to configure depending on the system's use.

  • If zones are present (and not independently audited), consider adding the zonename policy to distinguish in which zone audit records are generated:
    auditconfig(1M) -setpolicy +zonename

    See auditconfig(1M).

  • In environments where administrators (root) are permitted to run arbitrary commands with privilege, administrators (root) may wish to have the "ex" (exec) class of audit events (exec(2)) preselected. The "ex" class is included in the cusa meta-class noted in "Custom Configuration" above.

    Consider adding the argv policy to capture the command execution arguments:

    auditconfig(1M) -setpolicy +argv

    See auditconfig(1M), exec(2), and audit_class(4).

  • Consider adding administrative audit flags to roles. For each role <rolename>:
    rolemod(1M) -K audit_flags=cusa:no <rolename>

    See audit_class(4), audit_event(4), user_attr(4), and audit_flags(5).

Appendix A. Some Basic Oracle Solaris Auditing Terminology

More detailed information can be found in the "Auditing in Oracle Solaris" section of the Oracle Solaris 11.1 Administration: Security Services manual.

Audit Terminology and Concepts

  • Audit class: A name for a group of audit events. See audit_class(4), audit_event(4) and audit_flags(5).
  • Audit file system: A repository of audit files in binary format. The default is /var/audit.
  • Audit event: An action that is auditable. For selection purposes, like events are grouped into audit classes. See audit_class(4), audit_event(4) and audit_flags(5).
  • Audit flags: A set of audit classes that are grouped together for selecting what events are to be audited for success and/or failure. The terms audit class and audit flag or audit flags are sometimes used interchangeably.

    Per-user configuration contains two sets of flags: those to be always audited and those to be never audited. See audit_flags(5).

  • Audit policy: A set of auditing options that enable or disable various audit service-wide policies such as whether zones audit independently. See auditconfig(1M).
  • Audit record: The collection of audit tokens that make up the who, what, where, when and result of an audited action. See audit.log(4).
  • Audit token: A field of an audit record. Each audit token describes an attribute of an audit event, such as a file or an authorization used. See audit.log(4).
  • Selection: The configuration of what is to be audited for the system instance and/or user (preselection), or the filtering of what has been audited—generally for generating selective reports (post-selection).
    • Preselection: The choice of which audit events to record. System instance audit classes are configured as the audit flags with auditconfig(1M) -setflags and -setnaflags. See auditconfig(1M), audit_class(4), and audit_flags(5).
    • Post-selection: The choice of which audit records to examine. See auditreduce(1M) and praudit(1M).

Appendix B. Sample Audit File Output

Roles audconf, audrev, and audctl have been created with rights profiles Audit Configuration, Audit Review, and Audit Control. They have been assigned to the user gww. The scenario that generated the sample is:

ssh from host lethe to host holger as gww

su audconf
    fumble password
auditconfig -setpolicy +zonename
exit (from audconf role)
su audrev
auditreduce -c lo | praudit
exit (from audrev role)
su audctl
audit -n
exit (from audctl role)
su audrev
praudit /var/audit/*
exit (from audrev role)
exit (from gww)

Listing 1 shows selected auditreduce -c lo | praudit output:

header,69,2,login - ssh,,holger,2011-11-17 15:20:57.708 -08:00

subject,gww,gww,staff,gww,staff,101430,1373655831,14820 202240 lethe
return,success,0
header,80,2,su,fe,holger,2011-11-17 15:21:07.564 -08:00
subject,gww,root,staff,gww,staff,101436,1373655831,14820 202240 lethe
text,audconf
return,failure,Authentication failed
header,80,2,su,fe,holger,2011-11-17 15:21:20.486 -08:00
subject,gww,root,staff,gww,staff,101437,1373655831,14820 202240 lethe
text,audconf
return,failure,Authentication failed
header,69,2,role login,,holger,2011-11-17 15:21:39.121 -08:00
subject,gww,audconf,staff,audconf,staff,101438,1373655831,14820 202240 lethe
return,success,0
header,79,2,role logout,,holger,2011-11-17 15:21:52.022 -08:00
subject,gww,audconf,staff,audconf,staff,101438,1373655831,14820 202240 lethe
return,success,0
zone,global
header,79,2,role login,,holger,2011-11-17 15:22:05.047 -08:00
subject,gww,audrev,staff,audrev,staff,101441,1373655831,14820 202240 lethe
return,success,0
zone,global

Listing 1

Listing 2 shows selected praudit /var/audit/* output after audrev and gww exit:

Note: Notice the file token at the beginning showing the name of the file as it was closed by audit -n and subsequent file tokens at the end of the first audit file and beginning of the second showing chaining of the audit file names. Notice the different order of tokens in the kernel audit events such as those for pfexec.

file,2011-11-17 15:20:05.724 -08:00,/var/audit/20111117231838.20111117232005.holger


header,69,2,role login,,holger,2011-11-17 15:21:39.121 -08:00
subject,gww,audconf,staff,audconf,staff,101438,1373655831,14820 202240 lethe
return,success,0
header,224,2,execve(2) with pfexec enabled,,holger,2011-11-17 15:21:48.028 -08:00
path,/usr/sbin/auditconfig
attribute,100555,root,bin,65538,2145907,18446744073709551615
path,/
privilege,Inheritable,sys_audit
privilege,Limit,ALL
exec_args,3,auditconfig,-setpolicy,+zonename
subject,gww,audconf,staff,audconf,staff,101440,1373655831,14820 202240 lethe
return,success,0

header,154,2,read restricted access property value,,holger,2011-11-17 15:21:48.032 -08:00
subject,gww,audconf,staff,audconf,staff,101440,1373655831,14820 202240 lethe
use of authorization,solaris.smf.value.audit
fmri,svc:/system/auditd:default/:properties/policy/zonename
return,success,0

header,166,2,change service instance property,,holger,2011-11-17 15:21:48.087 -08:00
subject,gww,audconf,staff,audconf,staff,101440,1373655831,14820 202240 lethe
use of authorization,solaris.smf.value.audit
fmri,svc:/system/auditd:default/:properties/policy/zonename
text,b
text,"1"
return,success,0
header,127,2,auditon(2) - set audit policy flags,sp,holger,2011-11-17 15:21:48.088 -08:00
argument,3,0x801,setpolicy
subject,gww,audconf,staff,audconf,staff,101440,1373655831,14820 202240 lethe
use of privilege,successful use of priv,sys_audit
return,success,0
zone,global
header,79,2,role logout,,holger,2011-11-17 15:21:52.022 -08:00
subject,gww,audconf,staff,audconf,staff,101438,1373655831,14820 202240 lethe
return,success,0
zone,global
header,79,2,role login,,holger,2011-11-17 15:22:05.047 -08:00
subject,gww,audrev,staff,audrev,staff,101441,1373655831,14820 202240 lethe
return,success,0
zone,global

header,209,2,execve(2) with pfexec enabled,,holger,2011-11-17 15:22:29.569 -08:00
path,/usr/sbin/praudit
attribute,100555,root,bin,65538,33701,18446744073709551615
path,/
privilege,Inheritable,file_dac_read
privilege,Limit,ALL
exec_args,1,praudit
subject,gww,audrev,staff,audrev,staff,101444,1373655831,14820 202240 lethe
return,success,0
zone,global
header,218,2,execve(2) with pfexec enabled,,holger,2011-11-17 15:22:29.569 -08:00
path,/usr/sbin/auditreduce
attribute,100555,root,bin,65538,2145926,18446744073709551615
path,/
process,gww,audrev,staff,audrev,staff,101443,1373655831,14820 202240 lethe
exec_args,3,auditreduce,-c,lo
subject,gww,root,staff,audrev,staff,101443,1373655831,14820 202240 lethe
return,success,0
zone,global
header,79,2,role logout,,holger,2011-11-17 15:22:32.197 -08:00
subject,gww,audrev,staff,audrev,staff,101441,1373655831,14820 202240 lethe
return,success,0
zone,global
header,79,2,role login,,holger,2011-11-17 15:22:43.088 -08:00
subject,gww,audctl,staff,audctl,staff,101445,1373655831,14820 202240 lethe
return,success,0
zone,global
file,2011-11-17 15:22:47.770 -08:00,/var/audit/20111117232247.not_terminated.holger
file,2011-11-17 15:22:47.796 -08:00,/var/audit/20111117232005.20111117232247.holger
header,215,2,execve(2) with pfexec enabled,,holger,2011-11-17 15:22:47.768 -08:00
path,/usr/sbin/audit
attribute,100555,root,bin,65538,2145906,18446744073709551615
path,/
privilege,Inheritable,proc_owner,sys_audit
privilege,Limit,ALL
exec_args,2,audit,-n
subject,gww,audctl,staff,audctl,staff,101447,1373655831,14820 202240 lethe
return,success,0
zone,global
header,79,2,role logout,,holger,2011-11-17 15:22:49.132 -08:00
subject,gww,audctl,staff,audctl,staff,101445,1373655831,14820 202240 lethe
return,success,0
zone,global
header,79,2,role login,,holger,2011-11-17 15:23:44.710 -08:00
subject,gww,audrev,staff,audrev,staff,101448,1373655831,14820 202240 lethe
return,success,0
zone,global
header,305,2,execve(2) with pfexec enabled,,holger,2011-11-17 15:24:04.847 -08:00
path,/usr/sbin/praudit
attribute,100555,root,bin,65538,33701,18446744073709551615
path,/
privilege,Inheritable,file_dac_read
privilege,Limit,ALL
exec_args,3,praudit,/var/audit/20111117232005.20111117232247.holger,/var/audit/20111117232247.not_terminated.holger
subject,gww,audrev,staff,audrev,staff,101450,1373655831,14820 202240 lethe
return,success,0
zone,global
header,79,2,role logout,,holger,2011-11-17 15:24:06.787 -08:00
subject,gww,audrev,staff,audrev,staff,101448,1373655831,14820 202240 lethe
return,success,0
zone,global
header,79,2,logout,,holger,2011-11-17 15:24:08.432 -08:00
subject,gww,gww,staff,gww,staff,101430,1373655831,14820 202240 lethe
return,success,0
zone,global

Listing 2

Appendix C. Selected auditrecord(1M) -c lo Output

/usr/lib/ssh/sshd

  program     /usr/lib/ssh/sshd    See login - ssh
  event ID    6172                 AUE_ssh
  class       lo                   (0x00001000)
      header
      subject
      return

login: logout
  program     various              See login(1)
  event ID    6153                 AUE_logout
  class       lo                   (0x00001000)
      header
      subject
      return

su
  program     /usr/bin/su	   See su(1M)
  event ID    6173                 AUE_role_login
  class       lo                   (0x00001000)
      header
      subject
      return

su
  program     /usr/bin/su          See su(1M)
  event ID    6229                 AUE_role_logout
  class       lo                   (0x00001000)
      header
      subject
      return

Listing 3

Appendix D. auditrecord(1M) -e AUE_PFEXEC Output

pfexec               See execve(2) with pfexec enabled

  event ID    116                  AUE_PFEXEC
  class       ps,ex,ua,as          (0x0000000080160000)
      header
      path                         pathname of the executable
      path                         pathname of working directory
      [privilege]                  privileges if the limit or inheritable set
                                   are changed
      [privilege]                  privileges if the limit or inheritable set
                                   are changed
      [process]                    process if ruid, euid, rgid or egid is
                                   changed
      exec_arguments
      [exec_environment]           output if arge policy is set
      subject
      [use_of_privilege]
      return

Listing 4

Appendix E. Selected audit.log(4) Token Definitions

The expanded header token consists of items shown in Table 1.

Table 1
Item Length
Token ID 1 byte
Record byte count 4 bytes
Version # 1 byte [2]
Event type 2 bytes
Event modifier 2 bytes
Address type/length 4 bytes
Machine address 4 bytes/16 bytes (IPv4/IPv6 address)
Seconds of time 4 bytes/8 bytes (32/64-bits)
Nanoseconds of time 4 bytes/8 bytes (32/64-bits)

The expanded subject token consists of the items shown in Table 2.

Table 2
Item Length
Token ID 1 byte
Audit ID 4 bytes
Effective user ID 4 bytes
Effective group ID 4 bytes
Real user ID 4 bytes
Real group ID 4 bytes
Process ID 4 bytes
Session ID 4 bytes
Terminal ID:
Port ID 4 bytes/8 bytes (32-bit/64-bit value)
Address type/length 4 bytes
Machine address 16 bytes (IPv6 address)

The return token consists of the items shown in Table 3.

Table 3
Item Length
Token ID 1 byte
Error number 1 byte
Return value 4 bytes/8 bytes (32-bit/64-bit value)

About the Author

Gary Winiger is a Security Architect and Software Engineer in the Oracle Solaris organization. He is the primary architect for the auditing subsystem of Oracle Solaris and has contributed to Oracle Solaris for over 25 years.

Revision 1.0, 05/06/2013