The Solaris Knowledge Pack expands the auditing and reporting capabilities of InTrust to Oracle (formerly, Sun) Solaris. The Knowledge Pack enables InTrust to work with Syslog, text logs, and the Solaris Audit log.
The following table shows what you can audit and monitor on Solaris:
|Data Source||Gathering||Real Time Monitoring|
|Text logs of any format||X|
|Configuration file modification||X||X|
|Solaris audit logs generated by Basic Security Module (BSM)||X|
For Solaris Syslog, there is an agent-free approach to gathering, which is not covered in this guide. It involves Syslog forwarding to an InTrust server. For details about this method, see Setting Up Gathering of Syslog Data.
The following Solaris versions are supported:
Oracle Solaris 11.1 standard installation: 32-bit and 64-bit (on SPARC v9 and AMD-64 architecture)
Important: On Solaris 11, InTrust requires the SUNWiconv-unicode package.
The Solaris Knowledge Pack must be installed on top of an existing InTrust installation. The following objects are included:
InTrust agents must be installed manually on Solaris hosts. For details, see Installing Agents Manually on Solaris Computers.
InTrust takes advantage of the following logging systems available on Solaris:
Syslog provides data for auditing and real-time monitoring activities. Basic Security Module data is used only for auditing.
This topic describes the configuration requirements that InTrust imposes on these systems.
Syslog is an important logging facility in Solaris. Syslog functionality is provided by the syslogd daemon, which accepts messages from various sources that support logging, and either writes these messages to files or passes them on to other hosts in the network.
The InTrust agent processes the message flow before it arrives at syslogd's input. However, the agent catches only the local messages; it does not catch messages redirected from other computers over the network. Therefore, do not rely on syslogd’s message redirection feature if you audit and monitor Syslog with InTrust. InTrust support for the Solaris Syslog depends on local messages.
It is up to you how you configure syslogd logging. This configuration does not affect the operation of the InTrust agent, which provides all the Syslog data that InTrust accepts.
Basic Security Module (BSM) in Solaris provides logging capability and stores system events in the Solaris Audit log. This section describes how to prepare BSM for InTrust operations.
To enable Basic Security Module Auditing
If BSM functionality is no longer required on a Solaris system, you can disable it using the bsmunconv command.
Note: When the bsmconv command is run, it disables the Stop-a keyboard sequence by adding set abort_enable = 0 to the /etc/system file. Disabling the ability of a user or administrator to stop a system through a keyboard Stop-a or equivalent command over a serial port may not be appropriate for all environments.
The following table describes the BSM configuration files. For detailed information about configuring BSM, visit http://www.oracle.com/technetwork/indexes/documentation/index.html.
An audit class is a group of audit events. All audit classes are defined in the /etc/security/audit_class file. All audit events are assigned to audit classes in the/etc/security/audit_event file. Audit classes are recorded in the audit trail if they are turned on globally in the audit_control file, or are assigned to a specific user in the audit_user database.
These audit classes are used by the audit_control, audit_user, and audit_event files, as well as in the audit mask.
The /etc/security/audit_control file describes system parameters for auditing. These parameters include the following:
It is possible to audit only failed audit events or only successful audit events. For example, you can specify that a successful attempt to allocate memory should not be recorded but that a failed attempt should be recorded. This can be specified in either the audit_control or audit_user files.
The /etc/security/audit_event file defines the audit events and assigns each event to one or more audit classes.
For additional information on the audit_event file, refer to the audit_event man page.
|audit_user||The /etc/security/audit_user file enables you to specify additional auditing for individual users. Access to this database follows the rules for the password database specified in /etc/nsswitch.conf.|
Note: The InTrust agent does not modify the contents of token fields it retrieves from the Solaris Audit log. However, information in these fields is not sufficient if you store Solaris Audit log data in a centralized way.
The agent complements this information by adding InTrust-specific fields to tokens. These fields are filled in by resolving the values of some fields for the current Solaris host.