Home Solaris How to Configure Audit Logs in Oracle Solaris 11.4

How to Configure Audit Logs in Oracle Solaris 11.4

1

In this tutorial I will show you how to configure audit for generating audit log. Basically this tutorial is for monitoring the user administrative task by the system administrator. For ensuring security most of the company use audit log for different purpose. There are lot of task have in audit configuration. Here, when a user is added and deleted in the Unix/Solaris machine then audit will generate audit log file. A script file will convert the file as human readable log file(.log) and cron will run the script file once a day to convert and store the log file in log directory.

Visit my another post Local IPS Server Configuration in Solaris 11.3 with NFS Share.

Step 1: Check the current flags:
# auditconfig -getflags
configured user default audit flags = fw,lo,ps(0x101002,0x101002)
active user default audit flags = fw,lo,ps(0x101002,0x101002)

Step 2: Set the flag for user add/delete log:
# auditconfig -setflags lo,ua
user default audit flags = lo,ua(0x41000,0x41000)

Step 3: check the current flugs:
# auditconfig -getflags
configured user default audit flags = lo,ua(0x41000,0x41000)
active user default audit flags = lo,ua(0x41000,0x41000)

Step 4: Enable the audit log:
# audit -s

Step 5: Reboot the system [Must needed]:
# init 6

Step 6: login to the System

Step 7: add user or delete user:
# useradd oracle
# passwd oracle
New Password:
Re-enter new Password:
passwd: password successfully changed for oracle

Step 8: Check the log from the system:
# auditreduce -c ua | praudit
file,2021-05-06 06:15:53.000+00:00,
header,214,2,add new user login to the system,,solaris,2021-05-06 06:15:59.595+00:00
subject,root,root,root,root,root,1154,3160793843,188 1 192.168.10.12
text,repository = files
user,103,oracle
group,10,staff
text,gecos =
text,homedir = /export/home/oracle
text,shell = /usr/bin/bash
return,success,0

header,135,2,passwd,,solaris,2021-05-06 06:16:12.683+00:00
subject,root,root,sys,root,root,1155,3160793843,188 1 192.168.10.12
user,103,oracle
use of authorization,solaris.passwd.assign
return,success,0
file,2021-05-06 06:16:12.000+00:00,

Step 9: Done!!!

From the above steps, primary configuration is completed. If you wish to configure more then follow the below steps.

Step 10: check the audit file:
# cd /var/audit/
# ls -lrt
-rw-r—– 1 root root 1358 May 6 06:16 20210506061518.not_terminated.solaris

Step 11: Generate audit log file:
# audit -n

Step 12: check the new file is generated
# ls -lrt
-rw-r—– 1 root root 1426 May 6 06:20 20210506061518.20210506062012.solaris
-rw-r—– 1 root root 124 May 6 06:20 20210506062012.not_terminated.solaris

Step 13: Check log from the file:
# auditreduce -c ua 20210506061518.20210506062012.solaris | praudit -l
file,2021-05-06 06:15:53.000+00:00,
header,214,2,add new user login to the system,,solaris,2021-05-06 06:15:59.595+00:00,subject,root,root,root,root,root,1154,3160793843,188 1 192.168.10.12,text,repository = files,user,103,oracle,group,10,staff,text,gecos = ,text,homedir = /export/home/oracle,text,shell = /usr/bin/bash,return,success,0
header,135,2,passwd,,solaris,2021-05-06 06:16:12.683+00:00,subject,root,root,sys,root,root,1155,3160793843,188 1 192.168.10.12,user,103,oracle,use of authorization,solaris.passwd.assign,return,success,0
file,2021-05-06 06:16:12.000+00:00,

Step 14: Done!!!

If you can configure more then follow the below steps.

Step 15: Make a script file to convert as a log file:

# cat /etc/security/newauditlog.sh

    #!/bin/bash
    #newauditlog.sh - Start a new audit file and expire the old logs #    
    AUDIT_EXPIRE=30 AUDIT_DIR="/var/audit" 
    LOG_DIR="/var/log/"
    /usr/sbin/audit -n
    cd $AUDIT_DIR
    FILES=$(ls -lrt | tr -s " " | cut -d" " -f9 | grep -v "not_terminated")
    lastFile=""
    for file in $FILES; do
    lastFile=$file
    done 
    echo "Beginning praudit of $lastFile" 
    praudit -l $lastFile > "$LOG_DIR$lastFile.log"
    echo "Done praudit, creating log file at: $LOG_DIR$lastFile.log"
    /usr/bin/find . $AUDIT_DIR -type f -mtime +$AUDIT_EXPIRE \ -exec rm {} > /dev/null 2>&1 \;
    # End script

Step 16: Give executable permission:
# chmod +x /etc/security/newauditlog.sh

Step 17: Run the script file:
# cd /etc/security/
# ./newauditlog.sh
Beginning praudit of 20210506102002.20210506102952.solaris
Done praudit, creating log file at: /var/log/20210506102002.20210506102952.solaris.log

Step 18: Check the log(.log) file:
# cd /var/log/
# ls -lrth
-rw-r–r– 1 root root 1296 May 6 16:33 20210506102002.20210506102952.solaris.log

Step 19: Human readable log file.
# cat 20210506102002.20210506102952.solaris.log

Step 20: Done!!!

Creating a cron job:

1.Type the following command to create a backup copy of your current cron file:
# crontab -l > cronfile

2. Type the following command to edit the cronfile:
# vi cronfile

3. Add the following information to your cronfile:
0 0 * * * /etc/security/newauditlog.sh

4. Save the change to the cronfile.

5. Type the following command to add the cronfile to crontab:
# crontab cronfile

If you have any question please comment in the comment box. I will reply as soon as possible. Thanks for visiting my site.

1 COMMENT