Less known Solaris 11.1 features: Auditing pfedit usage

You have allowed junior to edit the httpd.conf and and some nice evening, you are sitting at home. Then: You get alerts on your mobile: Webserver down. You log into the server. You check the httpd.conf. You see an error. You correct it. You look into the change log. Nothing. You ask your colleagues, who made this change. Nobody. Dang. As always. Classic “Whodunit”. Okay, in order to prevent this for future changes, you want to record this kind of information. And working with pfedit is really useful in order to do so. This tutorial is a follow-on to the basic pfedit tutorial. So when you want to work through this one, you have to go through the basic one first. The nice thing about pfedit is, that it has an integration with the auditing subsystem of Oracle Solaris. So you can monitor the usage of pfedit with the audit log. In oder to do so, we have to configure auditing here. In Solaris 11 auditing is activated by default. So you don’t have to enable it and reboot it like with earlier Solaris releases. From the man page of pfedit we know, that pfedit uses the default class as for auditing. So i will add this to the profile i’ve created in the basic tutorial.

profiles -p "httpd configure"
profiles:httpd configure> <b>add always_audit=as</b>
profiles:httpd configure> info
	name=httpd configure
	desc=Configure httpd
	auths=solaris.admin.edit/etc/apache2/2.2/httpd.conf,solaris.admin.edit/etc/apache2/2.2/mime.types
	always_audit=as
	never_audit=no
profiles:httpd configure> exit
root@template:~#

I’m done. That’s all folks. When anyone using this profile is using pfedit, her or his actions will put into the audit log. But how you get the stored information?

root@template:~# auditreduce -c as | praudit

And at the end of the auditing log, you will find the following piece of information:

<small>[..]
header,486,2,edit administrative file,,fe80::a00:27ff:fea6:33cb,2013-08-12 07:45:52.306 +00:00
subject,junior,junior,staff,junior,staff,4212,447467166,369 136704 MacBook-Pro-of-c0t0d0s0.fritz.box
path,/etc/apache2/2.2/httpd.conf
use of authorization,solaris.admin.edit/etc/apache2/2.2/httpd.conf
text,--- /etc/apache2/2.2/httpd.conf    Mo. Aug 12 07:45:00 2013
     +++ /etc/apache2/2.2/httpd.conf.pfedit.1BaGoi      Mo. Aug 12 07:45:52 2013
     @@ -1,5 +1,6 @@
      # Test
      # Test 2:
     +# Test 3:
      #
      # This is the main Apache HTTP server configuration file.  It contains the
      # configuration directives that give the server its instructions.

return,success,0</small>

Not only the “metadata” about the change (when, who) has been stored to the audit log, but the change itself has been stored as a diff in the log. Neat.