4.5 Configure Solaris Auditing - audit_binfile p_minfree

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Solaris auditing service keeps a record of how a system is being used. Solaris auditing can
be configured to record different classes of events based upon site policy. This
recommendation will set and verify a consensus-developed auditing policy. That said, all
organizations are encouraged to tailor this policy based upon their specific needs. For more
information on the Solaris auditing service including how to filter and view events, see the
Oracle Solaris product documentation.

The "cis" class is a "custom class" that CIS recommends creating that includes specifically
those events that are of interest (defined in the sections above). In addition to those events,
this recommendation also includes auditing of login and logout (lo) events, administrative
(ad) events, file transfer (ft) events, and command execution (ex) events.

This recommendation also configures the Solaris auditing service to capture and report
command line arguments (for command execution events) and the zone name in which a
command was executed (for global and non-global zones). Further, this recommendation
sets a disk utilization threshold of 1%. If this threshold is crossed (for the volume that
includes /var/shares/audit), then a warning e-mail will be sent to advise the system
administrators that audit events may be lost if the disk becomes full. Finally, this
recommendation will also ensure that new audit trails are created at the start of each new
day (to help keep the size of the files small to facilitate analysis).

Rationale:

The consensus settings described in this section are an effort to log interesting system
events without consuming excessive amounts of resources logging significant but usually
uninteresting system calls.

Solution

To enforce this setting, use the commands:

# auditconfig -conf

# auditconfig -setflags lo,ad,ft,ex,cis

# auditconfig -setnaflags lo

# auditconfig -setpolicy cnt,argv,zonename

# auditconfig -setplugin audit_binfile active p_minfree=1

# audit -s

# rolemod -K audit_flags=lo,ad,ft,ex,cis:no root

# EDITOR=ed crontab -e root << END_CRON
$
a
0 0 * * * /usr/sbin/audit -n
.
w
q
END_CRON

# chown root:root /var/shares/audit

# chmod 750 /var/shares/audit

See Also

https://workbench.cisecurity.org/files/2582