Before Solaris 11.4 Auditing in Solaris could be activated by process, by user or overall. However sometimes you want to know which users or processes had or tried to have accesses to a file. You don’t want to know all file accesses from a set of users nor all accesses by a select group of processes or even all file accesses. You just want the access attempts to one file for example.
Of course, you can configure auditing to put all file accesses into the audit log but then you generate a large heap of audit log and you must find one needle in a needlestack inside in the haystack. Filtering is easy, but it’s a large heap of data you are generating. There must be a more elegant way.
However, since Solaris 11.4 you can configure auditing on a per-file basis, thus only filling the audit log with data you want to see.
Let’s assume you have the task to find out who accesses /etc/shadow and fails at accessing this file. Recording every file access on the system is a little bit bulky for this task. File-based auditing is configured via ACLs, so when you want to activate it for a file, you have to use chmod.
root@testbed:~# chmod A+everyone@:read_data:failed_access:audit /etc/shadowI’m now switching to a shell that isn’t sufficiently privileged to access that file:
jmoekamp@testbed:~$ cat /etc/shadow
cat: cannot open /etc/shadow: Permission deniedBack on the root shell, we can now use auditreduce to filter for /etc/shadow and praudit to transform the audit log into something readable:
root@testbed:~# auditreduce -o file=/etc/shadow | praudit -s
file,2025-04-16 09:36:19.000+02:00,
header,191,2,AUE_OPEN_R,ace:fp:fe,testbed,2025-04-16 09:36:19.066+02:00
access,0x1
attribute,100400,root,root,65538,157110,18446744073709551615
path,/etc/shadow
subject,jmoekamp,jmoekamp,staff,jmoekamp,staff,7371,664911514,148 1 Mac
groups,staff
use of privilege,failed use of priv,file_dac_read
return,failure: Permission denied,-1
annotation,d
zone,global
sequence,162
file,2025-04-16 09:36:19.000+02:00,
