2015年5月6日 星期三

Solaris 設定 Audit


  • 顯示可歸屬事項預選類

root@s11:/var/audit# auditconfig -getflags
active user default audit flags = lo(0x1000,0x1000)
configured user default audit flags = lo(0x1000,0x1000)


  • 顯示不可歸屬事項預選類
root@s11:/etc/security# auditconfig -getnaflags
active non-attributable audit flags = lo(0x1000,0x1000)configured non-attributable audit flags = lo(0x1000,0x1000)


  • 顯示Audit策略

root@s11:/etc/security# auditconfig -getpolicy
configured audit policies = cntactive audit policies = cnt


  • 顯示Plugin相關訊息

root@s11:/etc/security# auditconfig -getplugin
Plugin: audit_binfile (active)        Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1
Plugin: audit_syslog (inactive)        Attributes: p_flags=
Plugin: audit_remote (inactive)        Attributes: p_hosts=;p_retries=3;p_timeout=5


  • 顯示Audit佇列控制

root@s11:/etc/security# auditconfig -getqctrlno configured audit queue hiwater markno configured audit queue lowater markno configured audit queue buffer sizeno configured audit queue delayactive audit queue hiwater mark (records) = 100active audit queue lowater mark (records) = 10active audit queue buffer size (bytes) = 8192active audit queue delay (ticks) = 20root@s11:/etc/security#
  • 顯示User Audit設定
root@s11:/etc/security# who
root       pts/1         5月  5日 18:15  (172.16.37.211)
mds        pts/2         5月  5日 18:49  (172.16.37.211)
root@s11:/etc/security# userattr audit_flags root
lo:no
root@s11:/etc/security# userattr audit_flags mds
root@s11:/etc/security#
  • 驗證Audit是否已啟動


 root@s11:/var/audit# auditconfig -getcond
audit condition = auditing

root@s11:/var/audit# audit -v
configuration ok

Audit Flags的定義
Short NameLong NameShort Description
nono_classNull value for turning off event preselection
frfile_readRead of data, open for reading
fwfile_writeWrite of data, open for writing
fafile_attr_accAccess of object attributes: statpathconf
fmfile_attr_modChange of object attributes: chownflock
fcfile_creationCreation of object
fdfile_deletionDeletion of object
clfile_closeclose system call
pcprocessProcess operations: forkexecexit
ntnetworkNetwork events: bindconnectaccept
ipipcSystem V IPC operations
nanon_attribNonattributable events
adadministrativeAdministrative actions
lologin_logoutLogin and logout events
apapplicationApplication-defined event
ioioctlioctl system call
exexecProgram execution
ototherMiscellaneous
allallAll flags set
New audit classes are defined. The ft audit class contains file transfer audit events

建議設定:
To enforce this setting, use the command:
# auditconfig -conf
# auditconfig -setflags lo,ad,ft,ex
# auditconfig -setnaflags lo
# auditconfig -setpolicy cnt,argv,zonename
# auditconfig -setplugin audit_binfile active p_minfree=1
# audit -s
auditconfig -setpolicy cnt,argv,zonename

 # rolemod -K audit_flags=lo,ad,ft,ex:no root

PS. 為避免audit log過大難以讀取,設定每小時將目前的audit log關掉,並開啟一個新的audit log檔

 # EDITOR=ed crontab -e root << END_CRON

a
0 * * * * /usr/sbin/audit -n
w
q
END_CRON

 # chown root:root /var/audit
# chmod 750 /var/audit

 查看audit log
# praudit xxxxxxx



開啟及關閉audit

root@s11:~# audit -t    關閉
root@s11:~# auditconfig -getcond
audit condition = noaudit
root@s11:~# audit -s    開啟
root@s11:~# auditconfig -getcond
audit condition = auditing

Clean up the old not_terminated file.
# auditreduce -O system-name old-not-terminated-file
root@s11:/var/audit# auditreduce -O s11 20150505092159.not_terminated.s11.1

DEMO:

建立一個帳號 -  johnny



 撈出關於帳號johnny的audit log











參考資料:
http://www.oracle.com/technetwork/articles/servers-storage-admin/sol-audit-quick-start-1942928.html#Custom

張貼者:
標籤:

沒有留言:

張貼留言

訂閱: 張貼留言 (Atom)