{"id":262,"date":"2016-03-03T13:29:22","date_gmt":"2016-03-03T12:29:22","guid":{"rendered":"http:\/\/www.lambiek.eu\/blog\/?p=262"},"modified":"2016-03-03T13:39:19","modified_gmt":"2016-03-03T12:39:19","slug":"solaris-audit-specific-user","status":"publish","type":"post","link":"https:\/\/www.lambiek.eu\/blog\/tutorial\/solaris-audit-specific-user\/","title":{"rendered":"Solaris audit specific user"},"content":{"rendered":"

To audit all commands from a specific user you can issue:<\/p>\n

\r\nusermod -K audit_flags=ex,lo,ps testuser\r\n<\/pre>\n
To audit all commandline arguments you need to configure the audit service with an additional audit policy:<\/p>\n
\r\nauditconfig -setpolicy +argv\r\n<\/pre>\n
Now you can see every used command using:<\/p>\n
\r\npraudit -l \/var\/audit\/<audit-log>|grep testuser\r\n<\/pre>\n
It is also possible to set the audit_flags in a profile and assign the profile to a user:<\/p>\n
\r\nprofiles -p \"My Audited Users\"\r\nset desc=\"Very Restricted and Audited Users\"\r\nset defaultpriv=basic,!file_link_any,!proc_info,!proc_session\r\nset always_audit=ex,lo,ps\r\nset never_audit=na,no\r\nverify\r\ncommit\r\nexit\r\n\r\nusermod -P +\"My Audited Users\" testuser\r\n<\/pre>\n
Note<\/strong>: In the above profile are also some restricting privileges set to disallow the user from seeing other users processes, linking to unowned files and starting new sessions to the same host. The defaultpriv<\/code> entry is not necessary for the auditing part.<\/p>\n
To remove profile and\/or unset audit_flags for the user use:<\/p>\n
\r\nusermod -P -\"My Audited Users\" testuser\r\nusermod -K audit_flags= testuser\r\n<\/pre>\n
References:<\/p>\n
  • Audit classes (ex,lo,ps): \/etc\/security\/audit_class<\/code><\/li>\n
  • Audit policy (search for -setpolicy): man auditlog<\/code><\/li>\n
  • Oracle Solaris Security Guidelines (Securing Users): https:\/\/docs.oracle.com\/cd\/E23824_01\/html\/819-3195\/conf-sec-users-1.html#scrolltoc<\/a><\/li>\n
  • Oracle Solaris Security Guidelines (Configuring The Audit Service): https:\/\/docs.oracle.com\/cd\/E23824_01\/html\/821-1456\/audittask-44.html#audittask-15<\/a><\/li>\n","protected":false},"excerpt":{"rendered":"
    To audit all commands from a specific user you can issue: usermod -K audit_flags=ex,lo,ps testuser To audit all commandline arguments you need to configure the audit service with an additional audit policy: auditconfig -setpolicy +argv Now you can see every used command using: praudit -l \/var\/audit\/<audit-log>|grep testuser It is also possible to set the audit_flags … [Read more…]<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[4],"tags":[13],"_links":{"self":[{"href":"https:\/\/www.lambiek.eu\/blog\/wp-json\/wp\/v2\/posts\/262"}],"collection":[{"href":"https:\/\/www.lambiek.eu\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lambiek.eu\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lambiek.eu\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lambiek.eu\/blog\/wp-json\/wp\/v2\/comments?post=262"}],"version-history":[{"count":6,"href":"https:\/\/www.lambiek.eu\/blog\/wp-json\/wp\/v2\/posts\/262\/revisions"}],"predecessor-version":[{"id":268,"href":"https:\/\/www.lambiek.eu\/blog\/wp-json\/wp\/v2\/posts\/262\/revisions\/268"}],"wp:attachment":[{"href":"https:\/\/www.lambiek.eu\/blog\/wp-json\/wp\/v2\/media?parent=262"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lambiek.eu\/blog\/wp-json\/wp\/v2\/categories?post=262"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lambiek.eu\/blog\/wp-json\/wp\/v2\/tags?post=262"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}