|
|
Sponsored Content
Operating Systems
Solaris
/etc/security/audit_user
Post 302105171 by sparcguy on Wednesday 31st of January 2007 05:47:08 AM
01-31-2007
/etc/security/audit_user
the auditor has come in today and requesting for all sorts of system logs and I spent the better part of the yesterday with my boss "correcting defiencies" on our boxes 
one of the things the auditor has requested was the audit_user file under /etc/security. I checked docs.sun.com it doesn't tell me very much and I'm quite clueless as to what it does. My file has only 1 entry and it's the same in all the other boxes.
#
# Copyright (c) 1988 by Sun Microsystems, Inc.
#
#ident @(#)audit_user.txt 1.5 97/01/08 SMI
#
#
# User Level Audit User File
#
# File Format
#
# username:always:never
#
root:lo:no
docs.sun.com says :
Example - Creating an Audit Admin Login
If all the audit partitions are full, then it could be impossible to log in to a host. If all logins are audited, then the fact that the audit partitions are full would prevent anyone from completing a login. To avoid this situation, you can set up a special login that is not audited. This new login would allow you to log in to the host even if the audit partitions are full. Then, you could fix the problem with the full partitions. In this example, the user auditadm is defined so that no auditing takes place.
But I still don't get any of it. My question is what does this file do? If I were to add a user to the file to be audited what sort of auditing takes place? are there supposed to be any logs or binary databases where it will store auditing infomation of the users that I can check? What does auditing partitions refer to? Does it mean a kind of auditing database?
anybody can help to explain?
thanks in advance.
one of the things the auditor has requested was the audit_user file under /etc/security. I checked docs.sun.com it doesn't tell me very much and I'm quite clueless as to what it does. My file has only 1 entry and it's the same in all the other boxes.
#
# Copyright (c) 1988 by Sun Microsystems, Inc.
#
#ident @(#)audit_user.txt 1.5 97/01/08 SMI
#
#
# User Level Audit User File
#
# File Format
#
# username:always:never
#
root:lo:no
docs.sun.com says :
Example - Creating an Audit Admin Login
If all the audit partitions are full, then it could be impossible to log in to a host. If all logins are audited, then the fact that the audit partitions are full would prevent anyone from completing a login. To avoid this situation, you can set up a special login that is not audited. This new login would allow you to log in to the host even if the audit partitions are full. Then, you could fix the problem with the full partitions. In this example, the user auditadm is defined so that no auditing takes place.
But I still don't get any of it. My question is what does this file do? If I were to add a user to the file to be audited what sort of auditing takes place? are there supposed to be any logs or binary databases where it will store auditing infomation of the users that I can check? What does auditing partitions refer to? Does it mean a kind of auditing database?
anybody can help to explain?
thanks in advance.
Last edited by sparcguy; 01-31-2007 at 06:55 AM..
|
|
LEARN ABOUT OPENDARWIN
audit_user
audit_user(4) File Formats audit_user(4) NAME
audit_user - per-user auditing data file SYNOPSIS
/etc/security/audit_user DESCRIPTION
audit_user is an access-restricted database that stores per-user auditing preselection data. You can use the audit_user file with other authorization sources, including the NIS map audit_user.byname and the NIS+ table audit_user. Programs use the getauusernam(3BSM) routines to access this information. The search order for multiple user audit information sources is specified in the /etc/nsswitch.conf file. See nsswitch.conf(4). The lookup follows the search order for passwd(4). The fields for each user entry are separated by colons (:). Each user is separated from the next by a newline. audit_user does not have general read permission. Each entry in the audit_user file has the form: username:always-audit-flags:never-audit-flags The fields are defined as follows: username User's login name. always-audit-flags Flags specifying event classes to always audit. never-audit-flags Flags specifying event classes to never audit. For a complete description of the audit flags and how to combine them, see audit_control(4). EXAMPLES
Example 1: Using the audit_user File other:lo,am:io,cl fred:lo,ex,+fc,-fr,-fa:io,cl ethyl:lo,ex,nt:io,cl FILES
/etc/nsswitch.conf /etc/passwd /etc/security/audit_user ATTRIBUTES
See attributes(5) for descriptions of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +-----------------------------+-----------------------------+ |Interface Stability | See below | +-----------------------------+-----------------------------+ The file format stability is evolving. The file content is unstable. SEE ALSO
bsmconv(1M), getauusernam(3BSM), audit_control(4), nsswitch.conf(4), passwd(4) NOTES
This functionality is available only if the Basic Security Module (BSM) has been enabled. See bsmconv(1M) for more information. SunOS 5.10 2 Jan 2003 audit_user(4)