Configuring the System Auditing
1. Configuring BSM (Basic Security Module)
· To enable (upon reboot):
root# /etc/security/bsmconv
· To disable (upon reboot)
root# /etc/security/bsmunconv
· Note: BSM adds line to /etc/system to disable STOP-A
set abort_enable = 0
2. Verify BSM
root# modinfo | grep c2audit
34 600de000 c5ac 186 1 c2audit (C2 system call)
root# ps -ef | grep auditd
root 459 1 0 Jun 27 ? 0:13 /usr/sbin/auditd
3. Configuring the “/etc/security/audit_control” file
Change the “/etc/security/audit_control” file as you required. Below is an example file:
#
# Copyright (c) 1988 by Sun Microsystems, Inc.
#
#ident @(#)audit_control.txt 1.3 97/06/20 SMI
#
dir:/var/audit
# Minimal Auditing:
#flags:lo,ad,na,-nt
#
# Normal Auditing:
flags:-fr,-fw,-fa,-fc,-ot,-cl,fd,fm,lo,pc,nt,ad,ap,na
#
# Flags that are not audited at all above: io,ip,no,ex (ex is a
# subset of pc, so it's already covered)
#
# Audit non-attributable events:
naflags:lo,ad,nt,na
#
# audit_warn activates if less than 10% available on partition
minfree:10
#dir:/u1/security/audit/myhost/files
dir:/etc/security/audit/localhost/files
#
# Second audit filesystem used when the first partition fills up
#dir:/u2/security/audit/myhost/files
dir:/export/home
4. Add a following lines in /etc/sec*/audit_startup
auditconfig –setfsize 20480000
auditconfig –setpolicy +argv
5. Stop and start the Auditing by
root# cd /etc/init.d/
root# ./audit stop
root# ./audit start
6. Check the changed parameter by
root# auditconfig –getfsize
root# auditconfig – getpolicy
System-wide and per-user policies
Class
|
Descriptions
| |
no
|
no_class
|
Null value for turning off event preselection
|
fr
|
file_read
|
Read of data, open for reading, and so forth
|
fw
|
file_write
|
Write of data, open for writing, and so forth
|
fa
|
file_attr_acc
|
Access of object attributes: stat, pathconf, and so forth
|
fm
|
file_attr_mod
|
Change of object attributes: chown, flock, and so forth
|
fc
|
file_creation
|
Creation of object
|
fd
|
file_deletion
|
Deletion of object
|
cl
|
file_close
|
close system call
|
pc
|
process
|
Process operations: fork, exec, exit, and so forth
|
nt
|
network
|
Network events: bind, connect, accept, and so forth
|
ip
|
ipc
|
System V IPC operations
|
na
|
non_attrib
|
Nonattributable events
|
ad
|
administrative
|
Administrative actions
|
lo
|
login_logout
|
Login and logout events
|
ap
|
application
|
Application-defined event
|
io
|
ioctl
|
Ioctl system call
|
ex
|
exec
|
Program execution
|
ot
|
other
|
Miscellaneous
|
all
|
all
|
All flags set
|
System-wide Policy - Defined in /etc/security/audit_control
dir:/var/audit à Logs to Directory /var/audit
flags:lo,-all à Enables auditing of all login/logouts, and failures of all classes
nfree:20 Ã System warning when file system free space falls below 20%
naflags:lo à What to do with non-attributable events such as login attempt against undefined UID
Per-User Policy - Defined in /etc/security/audit_user
Format à username:always-audit-flags:never-audit_flags
Example:
oracle:-fc,-fw,-fr,fd,fm:no
– Enable auditing of the oracle user id for failed file creates, failed file writes, failed file reads, successful, file deletions, successful file attribute modifications.
BSM Syntax Used in both /etc/security/audit_user, /etc/security/audit_control
· + Successful operation
· - Failed operation
· ^ Except
Example from /etc/security/audit_control
flags:-all,^-fr
– Log all failure types except failed file reads
Administering Audit Logs
1. Verify Configuration
# auditconfig -chkconf
2. Audit File Management
– Naming convention “yyyymmdd.yyyymmdd.host” – (start time, stop time, hostname)
3. Audit management via CRON
– Here’s a script to manage audit logs
# vi /usr/local/bin/audit_cleanup
#!/bin/sh
audit_dir=“/var/audit”
# checkpoint the archive
/usr/sbin/audit -n
# remove old logs ( > 2 weeks)
sync;sync
/usr/bin/find $audit_dir -mtime +14 -exec /usr/bin/rm {} \;
For our case“ find /var/audit -mtime +14 -exec /usr/bin/rm {} \; “
• Root cron entry
0 0 * * 0 /usr/local/bin/audit_cleanup
Viewing the Audit file
Solaris command line interfaces:
auditreduce - grep-like utility
-c event class
-u real uid
-a after timestamp
-b before timestamp
-e effective uid
-g real gid
-f effective gid
-praudit - convert binary audit format to ascii
Example 1: This will print what user test1 did on January 27, 2004. The output will be displayed in a human-readable form to the standard output:
# auditreduce -d 20040127 -u test1 | praudit
Example 2: The above example may produce a large volume of data if test1 has been busy. Perhaps looking at only login and logout times would be simpler. The -c option will select records from a specified class:
# auditreduce -d 20040127 -u test1 -c lo | praudit
Example 3: To see test1's login/logout activity for January 13, 14, and 15 the following is used. The results are saved to a file in the current working directory. Note that the name of the output file will have test1lo as the suffix, with the appropriate timestamp prefixes. Note that the long form of the name is used for the -c option :
# auditreduce -a 20040113 -b +3d -u test1 -c login_logout -O test1lo(file Name)
Example 4: To follow test1's movement about the file system on January 13, 14, and 15 the chdir record types could be viewed. Note that in order to get the same time range as the above example we needed to specify the -b time as the day after our range. This is because 19880416 defaults to midnight of that day, and records before that fall on 0415, the end-day of the range.
# auditreduce -a 20040113 -b 20040116 -u test1 –m AUE_CHDIR | praudit
Example 5: In this example the audit records are being collected in summary form (the login/logout records only). The records are being written to a summary file in a different directory than the normal audit root to prevent the selected records from existing twice in the audit root.
# auditreduce -d 20040130 -c lo –O /etc/security/audit_summary/logins
Example 6: If activity for user ID 9944 has been observed, but that user is not known to the system administrator, then the following example will search the entire audit trail for any records generated by that user. Auditreduce will query the system as to the current validity of ID 9944, and print a warning message if it is not currently active:
#auditreduce -o /etc/security/audit_suspect/user9944 -u 9944
Configure System Accounting
This section contains some simple procedures for setting up and maintaining system accounting. This is a list of the step-by-step instructions in this chapter.
1. How to Set Up System Accounting”
2. How to Fix a wtmpx File”
3. How to Fix tacct Errors”
4. How to Restart runacct”
5. How to Set Up System Accounting”
6. How to Permanently Disable System Accounting”
Setting up System Accounting
You can set up system accounting to run while the system is in multiuser mode (init 3). Generally, this involves:
1. Creating /etc/rc0.d/K22acct and /etc/rc2.d/S22acct
2. Modifying /var/spool/cron/crontabs/root
The following table describes the default accounting scripts.
Default Accounting Scripts
Accounting Script
|
Used for
|
Runs
|
Ckpacct (1M)
|
Check the size of the /usr/adm/pacct log file
|
Periodically
|
runacct (1M)
|
Process connect, disk, and fee accounting information
|
Daily)
|
monacct (1M)
|
Generate fiscal reports and is run onceper period
|
On a fiscal basis.
|
You can change these defaults. After these entries have been added to the database and the accounting programs have been installed, accounting should run automatically).
1. How to Set Up System Accounting
1) Become a superuser.
2) If necessary, install the SUNWaccr and SUNWaccu packages on your system by using the pkgadd command.
3) Install / link /etc/init.d/acct as the startup script for Run Level 2.
# ln /etc/init.d/acct /etc/rc2.d/S22acct
4) Install / link /etc/init.d/acct as the stop script for Run Level 0.
# ln /etc/init.d/acct /etc/rc0.d/K22acct
5) Add the following lines to the root crontab file to start the ckpacct, runacct, and monacct programs automatically.
# EDITOR=vi; export EDITOR
# crontab -e
0 * * * * /usr/lib/acct/ckpacct
30 2 * * * /usr/lib/acct/runacct 2> /var/adm/acct/nite/fd2log
30 7 1 * * /usr/lib/acct/monacct
30 22 * * 4 /usr/lib/acct/dodisk
6) Edit /etc/acct/holidays to include national and local holidays.
7) Reboot the system, or type:
# /etc/init.d/acct start
Examples—Setting Up Accounting
The following example shows how the crontab entries that run
/usr/lib/acct/ckpacct, /usr/lib/acct/runacct, and /usr/lib/acct/monacct,
/usr/lib/acct/dodisk have been added to /var/spool/cron/crontabs/root.
#ident "@(#)adm 1.5 92/07/14 SMI" /* SVr4.0 1.2 */
#
# The adm crontab file should contain startup of performance
# collection if the profiling and performance feature has been
# installed.
0 * * * * /usr/lib/acct/ckpacct
30 2 * * * /usr/lib/acct/runacct 2> /var/adm/acct/nite/fd2log
30 7 1 * * /usr/lib/acct/monacct
30 22 * * 4 /usr/lib/acct/dodisk
The following example shows a sample /etc/acct/holidays file.
* @(#)holidays January 1, 1999
*
* Prime/Nonprime Table for UNIX Accounting System
*
* Curr Prime Non-Prime
* Year Start Start
*
1999 0800 1800
*
* only the first column (month/day) is significant.
*
* month/day Company
* Holiday
*
1/1 New Years Day
7/4 Indep. Day
12/25 Christmas
Fixing Corrupted Files and wtmpx Errors
Unfortunately, the UNIX accounting system is not foolproof. Occasionally, a file will become corrupted or lost. Some of the files can simply be ignored or restored from backup. However, certain files must be fixed to maintain the integrity of the accounting system.
The wtmpx(4) files seem to cause the most problems in the day-to-day operation of the accounting system. When the date is changed and the system is in multiuser mode, a set of date change records is written into /var/adm/wtmpx. The wtmpfix(1M) utility is designed to adjust the time stamps in the wtmp records when a date change is encountered. However, some combinations of date changes and reboots will slip through wtmpfix and cause acctcon to fail.
2. How to Fix a wtmpx File
1) Become superuser
2) Change to the /var/adm/acct/nite directory.
3) Convert the binary file wtmp.MMDD into the ASCII file xwtmp.
# fwtmp wtmp.MMDD xwtmp
MMDD Pair of two-digit numbers representing the month and day.
4) Edit xwtmp. Delete the corrupted files, or delete all records from the beginning up to the date change.
5) Convert the ASCII file xwtmp to a binary file, overwriting the corrupted file.
# fwtmp -ic xwtmp wtmp.MMDD
Fixing tacct Errors
The integrity of /var/adm/acct/sum/tacct is important if you are charging users for system resources. Occasionally, mysterious tacct records appear with negative numbers, duplicate user IDs, or a user ID of 65535. First, check /var/adm/acct/sum/tacctprev, using prtacct to print it. If the contents look all right, patch the latest /var/adm/acct/sum/tacct.MMDD file, then recreate the /var/adm/acct/sum/tacct file. The following steps outline a simple patch procedure.
3. How to Fix tacct Errors
1) Become superuser.
2) Change to the /var/adm/acct/sum directory.
3) Convert the contents of tacct.MMDD from binary to ASCII format.
# acctmerg -v tacct.MMDD xtacct
MMDD Month and day specified by two-digit numbers.
4) Edit the xtacct file, removing bad records and writing duplicate records to another file.
5) Convert the xtacct file from ASCII format to binary.
# acctmerg -i xtacct tacct.MMDD
MMDD Month and day specified by two-digit numbers.
6) Merge the files tacct.prev and tacct.MMDD into the file tacct.
# acctmerg tacctprev tacct.MMDD tacct
Restarting runacct
The runacct program can fail for a variety of reasons, the most common being a system crash, /var running out of space, or a corrupted wtmpx file. If the active MMDD file exists, check it first for error messages. If the active and lock files exist, check fd2log for any mysterious messages.
Called without arguments, runacct assumes that this is the first invocation of the day. The argument MMDD is necessary if runacct is being restarted and specifies the month and day for which runacct will rerun the accounting. The entry point for processing is based on the contents of statefile. To override statefile, include the desired state on the command line.
Caution - When running the runacct program manually, be sure to run it as user adm.
4. How to Restart runacct
1) Remove the lastdate file and any lock* files, if any.
root# cd /var/adm/acct/nite
root# rm lastdate lock*
2) Restart the runacct program.
root# runacct MMDD [state] 2> /var/adm/acct/nite/fd2log &
MMDD - Month and day specified by two-digit numbers.
state - Specifies a state, or starting point, where runacct processing should begin.
Stopping and Disabling System Accounting
You can temporarily stop system accounting or disable it permanently.
5. How to Temporarily Stop System Accounting
1) Become superuser.
2) Edit the adm crontab file to stop the ckpacct, runacct, and monacct programs from running by commenting out the appropriate lines.
# EDITOR=vi; export EDITOR
# crontab -e adm
#0 * * * * /usr/lib/acct/ckpacct
#30 2 * * * /usr/lib/acct/runacct 2> /var/adm/acct/nite/fd2log
#30 7 1 * * /usr/lib/acct/monacct
3) Edit the crontab file for user root to stop the dodisk program from running by commenting out the appropriate line.
# crontab –e
#30 22 * * 4 /usr/lib/acct/dodisk
4) Stop the accounting program.
# /etc/init.d/acct stop
To re-enable system accounting, remove the newly added comment symbols from the crontab files and restart the accounting program.
# /etc/init.d/acct start
6. How to Permanently Disable System Accounting
1) Become superuser.
2) Edit the adm crontab file and delete the entries for the ckpacct, runacct and monacct programs.
# EDITOR=vi; export EDITOR
# crontab -e adm
3) Edit the root crontab file and delete the entries for the dodisk program.
# crontab –e
4) Remove the startup script for Run Level 2.
# unlink /etc/rc2.d/S22acct
5) Remove the stop script for Run Level 0.
Managing System Accounting (Tasks) 523
# unlink /etc/rc0.d/K22acct
6) Stop the accounting program.
# /etc/init.d/acct stop