LKSF: Audit Annotations
For several major releases Solaris has a really extensive auditing subsystem. I wrote about it many years ago (11 years to be exact) in Less known Solaris features: Auditing. The audit system is excellent to tell you what has happened on your system. However sometimes some context ist missing. You don’t know why something happened. And this is a point, where a new feature of Solaris 11.4 is really useful. The new feature is called Audit Annotations.
Audit annotations are really simple to use. You can activate them for a user like this after you have gained the nescessary privileges to change the extended attributes of an user:
When you log into your system the next time, the system will ask for a password as usual. However there will be another question right after it. The System asks for an annotation to the session.
This string will be now carried forward in all audit logs that are created by actions in this session. So now, when you look into your audit log you will not only see the what happened by all the entries of the log, but you will have some information why an admin did it on the system. Of course it just makes sense, when you enter something sensible here. “fadsfsdfasd341243” obviously does not cut it as a good annotation. However this is something you can’t enforce technically. You can just enforce that your users can’t skip the prompt by just pressing return. The enforcement is the default, if you want to allow the user to skip it it, use
In case you want to make session annotations default for everybody, you have to edit
/etc/security/policy.conf and add
ANNOTATION=optional to it. In the file delivered with 11.4 it’s already at the end, just set to no and disabled by the #-sign
Searching for annotations
Later you can check for all audit entries with an annotation with the
If your want to see only the records for a single annotation, this is easily done with
auditreduce as well