Configuring auditing for select files in Oracle Solaris 11.4
Besides finding performance problems on customer systems, one of my favorite topics is security. Thus I’m talking a lot with customer how to implement something in Solaris in relation to security. I supported quite a number of customer at implementing auditing. However there was always one problem I couldn’t really solve.
Auditing in Solaris can be activated by process, by user or by default for everything. However sometimes you want to know which users accessed a file. You can’t configure it just per process, because you would miss all the accesses by other processes, you can’t configure it just per user, because then you would miss the accesses by other users and most often you don’t want to know who accesses, but who accesses it and fails at it. When you configure it by default, you create a really large heap of data in your audit logs because all configured audit events of all users of all processes are put into the audit log. In order to find out, who had unsuccessfully tried to access
/etc/shadow this is a little bulky.
However in Solaris 11.4 you are now able to configure auditing on a per-file basis, thus allowing you to audit just the things you really want to see.
How to configure it
File-based auditing is configured via ACLs, so when you want to activate it for a file, you have to use
Okay, different shell with a normal user without read privileges. We will to access
/etc/shadow, which will fail.
Back on the root shell, we can now use
auditreduce to view the audit trail: