[ Next Article |
Previous Article |
Book Contents |
Library Home |
Legal |
Search ]
System Management Guide: Operating System and Devices
Setting Up Auditing
Procedure
The following is an overview of the steps you must take to set up an auditing subsystem. Refer to the configuration files noted in these steps for more specific information.
- Select system activities (events) to audit from the list in the /etc/security/audit/events file or edit the file to add a new event.
- You can only add an event to this file if you have included code to log that event in an application program (using the auditwrite or auditlog subroutine) or in a kernel extension (using the audit_svcstart, audit_svcbcopy, and audit_svcfinis kernel services).
- Ensure that formatting instructions for any new audit events are included in the /etc/security/audit/events file. These specifications enable the auditpr command to write an audit trail when it formats audit records.
- Group your selected audit events into sets of similar items called audit classes. Define these audit classes in the classes stanza of the /etc/security/audit/config file.
- Assign the audit classes to the individual users and assign audit events to the files (objects) that you want to audit, as follows:
- To assign audit classes to an individual user, add a line to the users stanza of the /etc/security/audit/config file. You can use the chuser command to assign audit classes to a user.
- To assign audit events to an object (data or executable file), add a stanza for that file to the /etc/security/audit/objects file.
- Configure the type of data collection that you want, using BIN collection, STREAM collection, or both methods:
- To configure BIN collection:
- Edit the start stanza in the /etc/security/audit/config file to enable BIN collection.
- Edit the binmode stanza in the /etc/security/audit/config file to configure the bins and trail, and specify the path of the file containing the binmode back-end processing commands. The default file for back-end commands is the /etc/security/audit/bincmds file.
- Include the shell commands that will process the audit bins in an audit pipe in the /etc/security/audit/bincmds file.
- To configure STREAM collection:
- Edit the start stanza in the /etc/security/audit/config file to enable STREAM collection.
- Edit the streammode stanza in the /etc/security/audit/config file to specify the path to the file containing the streammode processing commands. The default file containing this information is the /etc/security/audit/streamcmds file.
- Include the shell commands that will process the stream records in an audit pipe in the /etc/security/audit/streamcmds file.
- When you have finished making any necessary changes to the configuration files, you are ready to enable the audit subsystem using the audit command.
Selecting Audit Events
The purpose of an audit is to detect activities that may compromise the security of your system. When performed by an unauthorized user, the following activities violate system security and are candidates for an audit:
- Engaging in activities in the Trusted Computing Base
- Authenticating users
- Accessing the system
- Changing the configuration of the system
- Circumventing the auditing system
- Initializing the system
- Installing programs
- Modifying accounts
- Transferring information into or out of the system
To audit an activity, you must identify the
command or process that initiates the audit event and ensure that the event is
listed in the /etc/security/audit/events file for your system. Then you
must add the event either to an appropriate class in the
/etc/security/audit/config file, or to an object stanza in the
/etc/security/audit/objects file. See the /etc/security/audit/events file on your system for the list of audit events and trail formatting
instructions. See the auditpr command for a description of how audit
event formats are written and used.
Once you have selected the events to audit, you need to combine similar events into audit classes, as described in the section on selecting audit classes. Audit classes are then assigned to users.
Selecting Audit Classes
You can facilitate the assignment of audit events to users by combining similar events into sets called audit classes. These audit classes are defined in the classes stanza of the /etc/security/audit/config file.
Some typical audit classes might be:
general |
General events alter the state of the system and change user authentication. You should audit attempts to circumvent system access controls. |
system |
Events in the system group modify user and group accounts and install programs. |
init |
Events in the init group are generated by the init program and its immediate descendants, the login and cron programs. |
An example of a stanza in the /etc/security/audit/config file follows:
classes:
general = USER_SU,PASSWORD_Change,FILE_Unlink,
FILE_Link,FILE_Rename
system = USER_Change,GROUP_Change,USER_Create,
GROUP_Create
init = USER_Login,USER_Logout
Selecting an Audit Data Collection Method
Your selection of a data collection method depends on how you intend to use the audit data. If you need long-term storage of a large amount of data, you should select bin collection. If you want to process the data as it is collected, select stream collection. If you need both long-term storage and immediate processing, select both methods.
Bin collection |
Bin collection lets you store a large audit trail for a long time. Audit records are written to a file that serves as a temporary bin. After the file is filled, the data is processed by the auditbin daemon, and records are written to an audit trail file for storage. |
Stream collection |
Stream collection lets you process audit data as it is collected. Audit records are written into a circular buffer within the kernel, and are retrieved by reading /dev/audit. The audit records can be displayed, printed to provide a paper audit trail, or converted into bin records by the auditcat command. |
[ Next Article |
Previous Article |
Book Contents |
Library Home |
Legal |
Search ]