219
edits
Changes
m
→Access to System Audit Log
On Solaris default audit records are stored in system_name:/var/audit/.
To configure the System Audit Logs on Solaris the following administration tasks need to be completed. Create the audit class 'fp', then create the audit event 'AUE_FIPS_AUDIT ' and add the class 'fp' to the audit_control file.
# /etc/security/audit_class
add line:
0x99000000:fp:NSS FIPs Security Msgs
# /etc/security/audit_event
add line:
34444:AUE_FIPS_AUDIT:fp
# /etc/security/audit_control
add 'fp' to the "flags:" as in:
flags:lo,ap,fp
Turn on audit service:
run: /etc/security/bsmconv (either as root or a user that has been given the Audit Control RBAC profile in Solaris 8)
reboot your system.
After the system has rebooted ensure auditd is running: ps -ecf | grep auditd
'''Viewing the audit trail:'''
By default the audit logs are stored in /var/audit. To view the active audit trail ensure there is only one *not_terminated* audit files. If there are others delete the older ones before executing this command.
#cd /var/audit
#tail -0f *not_terminated* | praudit
Note: On Trusted Solaris 8 you need to assume a role with the tail and praudit commands with the proc_audit_app1 and proc_audit_tcb privileges.
You can also view the existing audit files using auditreduce
#cd /var/audit
#auditreduce -m 34444 *not_terminated* | praudit -l
===Entry of Cryptographic Keys and CSPs===
