219
edits
FIPS Operational Environment: Difference between revisions
m
→Access to System Audit Log
| Line 150: | Line 150: | ||
On Solaris default audit records are stored in system_name:/var/audit/. | On Solaris default audit records are stored in system_name:/var/audit/. | ||
To configure the System Audit Logs on Solaris the following administration tasks need to be completed. Create the audit class 'fp', then create the audit event 'AUE_FIPS_AUDIT ' and add the class 'fp' to the audit_control file. | |||
# /etc/security/audit_class | |||
add line: | |||
0x99000000:fp:NSS FIPs Security Msgs | |||
# /etc/security/audit_event | |||
add line: | |||
34444:AUE_FIPS_AUDIT:fp | |||
# /etc/security/audit_control | |||
add 'fp' to the "flags:" as in: | |||
flags:lo,ap,fp | |||
Turn on audit service: | |||
run: /etc/security/bsmconv (either as root or a user that has been given the Audit Control RBAC profile in Solaris 8) | |||
reboot your system. | |||
After the system has rebooted ensure auditd is running: ps -ecf | grep auditd | |||
'''Viewing the audit trail:''' | |||
By default the audit logs are stored in /var/audit. To view the active audit trail ensure there is only one *not_terminated* audit files. If there are others delete the older ones before executing this command. | |||
#cd /var/audit | |||
#tail -0f *not_terminated* | praudit | |||
Note: On Trusted Solaris 8 you need to assume a role with the tail and praudit commands with the proc_audit_app1 and proc_audit_tcb privileges. | |||
You can also view the existing audit files using auditreduce | |||
#cd /var/audit | |||
#auditreduce -m 34444 *not_terminated* | praudit -l | |||
===Entry of Cryptographic Keys and CSPs=== | ===Entry of Cryptographic Keys and CSPs=== | ||