[ Previous | Next | Table of Contents | Index | Library Home |
Legal |
Search ]
System Management Guide: Operating System and Devices
The following is an overview of
the steps you must take to set up an auditing subsystem. Refer to the
configuration files noted in these steps for more specific information.
- Select system activities
(events) to audit from the list in the /etc/security/audit/events
file or edit the file to add a new event.
- You only add an event to
this file, only if you have included code to log that event in an application
program (using the auditwrite or auditlog subroutine) or in a kernel extension
(using the audit_svcstart, audit_svcbcopy, and audit_svcfinis kernel services).
- Ensure that formatting
instructions for any new audit events are included in the
/etc/security/audit/events file. These specifications enable
the auditpr command to write an audit trail
when it formats audit records.
- Group your selected audit
events into sets of similar items called audit classes. Define these
audit classes in the classes stanza of the
/etc/security/audit/config file.
- Assign the audit classes to
the individual users and assign audit events to the files (objects) that you
want to audit, as follows:
- To assign audit classes to an
individual user, add a line to the users stanza of the
/etc/security/audit/config file. You can use the
chuser command to assign audit classes to a user.
- To assign audit events to an
object (data or executable file), add a stanza for that file to the
/etc/security/audit/objects file.
- Configure the type of data
collection that you want, using BIN collection, STREAM collection, or both
methods:
- To configure BIN
collection:
- Edit the start stanza in the
/etc/security/audit/config file to enable BIN collection.
- Edit the binmode stanza in the
/etc/security/audit/config file to configure the bins and trail,
and specify the path of the file containing the binmode back-end processing
commands. The default file for back-end commands is the
/etc/security/audit/bincmds file.
- Include the shell commands
that process the audit bins in an audit pipe in the
/etc/security/audit/bincmds file.
- To configure STREAM
collection:
- Edit the start stanza in the
/etc/security/audit/config file to enable STREAM collection.
- Edit the streammode stanza in
the /etc/security/audit/config file to specify the path to the file
containing the streammode processing commands. The default file
containing this information is the /etc/security/audit/streamcmds
file.
- Include the shell commands
that process the stream records in an audit pipe in the
/etc/security/audit/streamcmds file.
- When you have finished
making any necessary changes to the configuration files, you are ready to
enable the audit subsystem using the audit
command.
The purpose of an audit is to
detect activities that might compromise the security of your system.
When performed by an unauthorized user, the following activities violate
system security and are candidates for an audit:
- Engaging in activities in the
Trusted Computing Base
- Authenticating users
- Accessing the system
- Changing the configuration of
the system
- Circumventing the auditing
system
- Initializing the system
- Installing programs
- Modifying accounts
- Transferring information into
or out of the system
To audit an activity, you must
identify the command or process that initiates the audit event and ensure that
the event is listed in the /etc/security/audit/events file for your
system. Then you must add the event either to an appropriate class in
the /etc/security/audit/config file, or to an object stanza in the
/etc/security/audit/objects file. See the
/etc/security/audit/events file on your system for the list of audit
events and trail formatting instructions. See the auditpr
command for a description of how audit event formats are written and
used.
Once you have selected the events
to audit, you need to combine similar events into audit classes, as described
in the section on selecting audit classes. Audit classes are then
assigned to users.
You can facilitate the assignment
of audit events to users by combining similar events into sets called audit
classes. These audit classes are defined in the classes stanza of the
/etc/security/audit/config file.
Some typical audit classes might
be:
general
| General events alter the state of the system and change user
authentication. Audit attempts to circumvent system access
controls.
|
system
| Events in the system group modify user and group accounts and install
programs.
|
init
| Events in the init group are generated by the init program and
its immediate descendants, the login and cron
programs.
|
An example of a stanza in the
/etc/security/audit/config file follows:
classes:
general = USER_SU,PASSWORD_Change,FILE_Unlink,
FILE_Link,FILE_Rename
system = USER_Change,GROUP_Change,USER_Create,
GROUP_Create
init = USER_Login,USER_Logout
Your selection of a data
collection method depends on how you intend to use the audit data. If
you need long-term storage of a large amount of data, select bin
collection. If you want to process the data as it is collected, select
stream collection. If you need both long-term storage and immediate
processing, select both methods.
Bin collection
| Bin collection lets you store a large audit trail for a long time.
Audit records are written to a file that serves as a temporary bin.
After the file is filled, the data is processed by the auditbin
daemon, and records are written to an audit trail file for storage.
|
Stream collection
| Stream collection lets you process audit data as it is collected.
Audit records are written into a circular buffer within the kernel, and are
retrieved by reading /dev/audit. The audit records can be
displayed, printed to provide a paper audit trail, or converted into bin
records by the auditcat command.
|
[ Previous | Next | Table of Contents | Index |
Library Home |
Legal |
Search ]