Auditing is a good way to keep logs of all the activities happening in your Solaris server. In this post we will see how to enable auditing of both global and local zones and store the logs of all in a single file in global zone.
1) In the global zone create a new FS of 20GB and mount it.
mkdir /var/audit/gaudit mount /dev/md/dsk/d100 /var/audit/gaudit chmod -R 750 /var/audit/gaudit
2) Modify /etc/security/audit_control and add "lo,ex" before flags and naflags as below.
vi audit_control # # Copyright (c) 1988 by Sun Microsystems, Inc. # # ident "@(#)audit_control.txt 1.4 00/07/17 SMI" # dir:/var/audit/gaudit flags:lo,ex minfree:20 naflags:lo,ex
3) Modify /etc/security/audit_startup and add +argv and +zonename entries as described below. This entry will create audit logs for all zones in /var/audit/gaudit .
vi audit_startup #! /bin/sh # # Copyright 2004 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # ident "@(#)audit_startup.txt 1.1 04/06/04 SMI" /usr/bin/echo "Starting BSM services." /usr/sbin/auditconfig -setpolicy +cnt /usr/sbin/auditconfig -conf /usr/sbin/auditconfig -aconf /usr/sbin/auditconfig -setpolicy +argv /usr/sbin/auditconfig -setpolicy +zonename #
4) Copy audit_control file to /etc/security of each zone or loopback mount them in each zone.
5) Once all the zones are configured enable the audit service by running /etc/security/bsmconv. This will require reboot of system.
6) Check audit logs in /var/audit/gaudit using
auditreduce 20170709091522.not_terminated.solaris1 | praudit
7) For checking logs of a specific zone follow below
root@solaris1 # auditreduce -z zone1 20170709091522.not_terminated.solaris1 | praudit file,2017-07-09 16:26:00.000 +02:00, zone,zone1 header,160,2,execve(2),,solaris1,2017-07-09 16:26:00.697 +02:00 path,/usr/sbin/ping attribute,104555,root,bin,85,200509,0 exec_args,2,ping,127.0.0.1 subject,root,root,root,root,root,2164,2187,0 0 0.0.0.0 return,success,0 zone,zone1 file,2017-07-09 16:26:00.000 +02:00, root@solaris1 #