audit useradd, userdel on solaris 10

glisha · February 19, 2009, 5:41pm

I just want to audit and log to syslog when a user is added, removed or modified from the system.

According to the docs I have:

#/etc/security/audit_control
dir:/var/audit
flags:ua
minfree:20
naflags:ua
plugin:name=audit_syslog.so.1; p_flags=ua

But neither syslog nor auditreduce -c ua | praudit gives me any log. (after restart or audit -s)

Does anyone have an idea if this is the way to achive what I want and I'm doing something wrong or there is another way to audit adding, removing users to syslog on solaris 10?

Thanks.

seg · February 19, 2009, 6:30pm

Everything looks OK in your audit_control file, do you have something like the following in your syslog.conf file?
audit.debug /var/adm/message

Also, is auditd enabled?
svcadm enable svc:/system/auditd:default

Also you need to enable BSM by running /etc/security/bsmconv then rebooting. You probably already did that, but just checking.

glisha · February 19, 2009, 6:41pm

Yep, I have
audit.notice /var/adm/messages

It catches the audit when I edit crontab:
Feb 20 00:10:15 server audit: [ID 702911 audit.notice] crontab-modify ok session 2921655314 by root as root:root from 1.104.168.192 obj /var/spool/cron/crontabs/root

But it doesn't catch when I add, delete or change the pass on a user:
# useradd mynewuser

I've found
General Solaris 10 Discussion - user administration auditing
Kernel - bsm audit user administration

But, neither offer a solution from 2006. I'm using Solaris 10 10/08.

seg · February 19, 2009, 6:59pm

Ah, good to see it's functioning on some level. Very odd that it doesn't log useradd/del- one would think they fit in the ua 'user administration' category. You might try some different flags like 'am' or 'as'. audit_class has the list of flags.

I'm sticking with this issue as long as I can because I'm very interested to find out how to make this work.

glisha · February 19, 2009, 7:22pm

I was wrong, passwd got logged with only ua.
Feb 20 00:40:07 server1 audit: [ID 702911 audit.notice] passwd ok session 165926946 by root as root:sys from 1.104.168.192 text stanko2

There is no audit of useradd, userdel.

I've now also added "ad" and "as":
flags:lo,ua,ad,as
naflags:lo,ua,ad,as
plugin:name=audit_syslog.so.1; p_flags=lo,ua,ad,as

But still nothing about useradd, userdel.

Just to note that if I add "ex" useradd, userdell get loged as commands but thats not what I want, as I it logs every command I run and I just want operations on users to get logged.

seg · February 24, 2009, 2:21pm

I have not had a chance to work on this in the past few days. During my last session I got no farther than you in making this work. From everything I've read simply using ua should include useradd/del commands. Either it's a bug or we don't understand it correctly and neither does anyone else on the Internet reachable by Google. I'll continue my work when I can and hope for the best.

Dave_Core_82 · March 26, 2009, 11:16am

I have this issue as well. It's a bug. You can see it on opensolaris.org.

Bug ID: 6178396 useradd(1M), usermod(1M), userdel(1M), groupadd(1M), groupmod(1M), groupdel(1M) do not audit actions

It says they are not really looking at a fix for this and the workaround is to use pfexec. I don't really like the workaround. I really wish they would fix this.

TonyFullerMalv · March 29, 2009, 7:39am

I've never used auditreduce (must take a look!), I do:

# cd /var/audit
# ls -latr | tail -5
Note newest file.
# praudit -l <latestauditfile>

The other thing you can do for testing is:
# tail -f <latestauditfile> | praudit -l
in one window while you do useradd, userdel etc. in another window and watch for the lines being added.

The currently used audit file will not have a termination date and time as part of the file name.

HTH