Besides finding performance problems on customer systems, one of my favorite topics is security. Thus I’m talking a lot with customer how to implement something in Solaris in relation to security. I supported quite a number of customer at implementing auditing. However there was always one problem I couldn’t really solve.

Auditing in Solaris can be activated by process, by user or by default for everything. However sometimes you want to know which users accessed a file. You can’t configure it just per process, because you would miss all the accesses by other processes, you can’t configure it just per user, because then you would miss the accesses by other users and most often you don’t want to know who accesses, but who accesses it and fails at it. When you configure it by default, you create a really large heap of data in your audit logs because all configured audit events of all users of all processes are put into the audit log. In order to find out, who had unsuccessfully tried to access /etc/shadow this is a little bulky.

However in Solaris 11.4 you are now able to configure auditing on a per-file basis, thus allowing you to audit just the things you really want to see.

How to configure it

File-based auditing is configured via ACLs, so when you want to activate it for a file, you have to use chmod
root@batou:~# chmod A+everyone@:read_data:failed_access:audit /etc/shadow
Okay, different shell with a normal user without read privileges. We will to access /etc/shadow, which will fail.
jmoekamp@batou:~$ cat /etc/shadow
cat: cannot open /etc/shadow: Permission denied
Back on the root shell, we can now use auditreduce to view the audit trail:
root@batou:~# auditreduce -o file=/etc/shadow | praudit -s
file,2019-03-01 22:08:07.000+00:00,
header,159,2,AUE_OPEN_R,ace:fp:fe,batou,2019-03-01 22:08:07.032+00:00
subject,jmoekamp,jmoekamp,staff,jmoekamp,staff,1462,101741676,151 1 MBPvonc0t0d0s0
use of privilege,failed use of priv,file_dac_read
return,failure: Permission denied,-1
file,2019-03-01 22:08:07.000+00:00,

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.