Solaris - Basic Security Module, Default Setting

In Solaris, the default setting for the Basic Security Model (a.k.a C2 level auditing) is turned off. To turn it on, you need to run /etc/security/bsmconv followed by a reboot. The default auditing is controlled by a few files, namely

• /etc/security/audit_startup which set the policy

  #! /bin/sh
  #
  # Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
  # Use is subject to license terms.
  #
  # ident "@(#)audit_startup.txt  1.1     04/06/04 SMI"
  
  /usr/bin/echo "Starting BSM services."
  /usr/sbin/auditconfig -setpolicy +cnt
  /usr/sbin/auditconfig -conf
  /usr/sbin/auditconfig -aconf
  
  
       -aconf
           Set   the   non-attributable   audit   mask   from   the
           audit_control(4) file.
       -conf
           Configure kernel audit event to class mappings.  Runtime
           class  mappings  are changed to match those in the audit
           event to class database file.
       -setpolicy
           cnt      Do not suspend processes when  audit  resources
                    are  exhausted. Instead, drop audit records and
                    keep a count of the number of records  dropped.
                    By  default,  process are suspended until audit
                    resources become available.
  

• /etc/security/audit_user - level of logging per use

  #
  # Copyright (c) 1988 by Sun Microsystems, Inc.
  #
  # ident "@(#)audit_user.txt     1.6     00/07/17 SMI"
  #
  #
  # User Level Audit User File
  #
  # File Format
  #
  #       username:always:never
  #
  root:lo:no
  

• /etc/security/audit_control

  #
  # Copyright (c) 1988 by Sun Microsystems, Inc.
  #
  # ident "@(#)audit_control.txt  1.4     00/07/17 SMI"
  #
  dir:/var/audit
  flags:
  minfree:20
  naflags:lo
  

In the above, the default is to always audit the login/logout (lo) of root and never audit "invalid class" (no). Here is the tabulated audit class (/etc/security/audit_class)

Class	Description	Default
no	invalid class
fr	file read
fw	file write
fa	file attribute access
fm	file attribute modify
fc	file create
fd	file delete
cl	file close
nt	network
ip	ipc
na	non-attribute
lo	login or logout	root
ap	application
ss	change system state
as	system-wide administration
ua	user administration
am	administrative (meta-class)
aa	audit utilization
ad	old administrative (meta-class)
ps	process start/stop
pm	process modify
pc	process (meta-class)
xp	X - privileged/administrative operations
xc	X - object create/destroy
xs	X - operations that always silently fail, if bad
xx	X - all X events (meta-class)
io	ioctl
ex	exec
ot	other
all	all classes (meta-class)

In my previsous blog, I mentioned how I configured BSM to keep track of user commands (with arguments) executed in a login session.

For details of a specific class, you need to refer to the /etc/security/audit_event event. For example, the login/logout ("lo") class, it consists of the following events. Basically it covers all kinds of login and logout

# egrep ':lo$' /etc/security/audit_event
6152:AUE_login:login - local:lo
6153:AUE_logout:logout:lo
6154:AUE_telnet:login - telnet:lo
6155:AUE_rlogin:login - rlogin:lo
6158:AUE_rshd:rsh access:lo
6159:AUE_su:su:lo
6162:AUE_rexecd:rexecd:lo
6163:AUE_passwd:passwd:lo
6164:AUE_rexd:rexd:lo
6165:AUE_ftpd:ftp access:lo
6171:AUE_ftpd_logout:ftp logout:lo
6172:AUE_ssh:login - ssh:lo
6173:AUE_role_login:role login:lo
6212:AUE_newgrp_login:newgrp login:lo
6213:AUE_admin_authenticate:admin login:lo
6221:AUE_screenlock:screenlock - lock:lo
6222:AUE_screenunlock:screenlock - unlock:lo
6227:AUE_zlogin:login - zlogin:lo