But neither syslog nor auditreduce -c ua | praudit gives me any log. (after restart or audit -s)
Does anyone have an idea if this is the way to achive what I want and I'm doing something wrong or there is another way to audit adding, removing users to syslog on solaris 10?
It catches the audit when I edit crontab:
Feb 20 00:10:15 server audit: [ID 702911 audit.notice] crontab-modify ok session 2921655314 by root as root:root from 1.104.168.192 obj /var/spool/cron/crontabs/root
But it doesn't catch when I add, delete or change the pass on a user:
# useradd mynewuser
Ah, good to see it's functioning on some level. Very odd that it doesn't log useradd/del- one would think they fit in the ua 'user administration' category. You might try some different flags like 'am' or 'as'. audit_class has the list of flags.
I'm sticking with this issue as long as I can because I'm very interested to find out how to make this work.
I was wrong, passwd got logged with only ua.
Feb 20 00:40:07 server1 audit: [ID 702911 audit.notice] passwd ok session 165926946 by root as root:sys from 1.104.168.192 text stanko2
There is no audit of useradd, userdel.
I've now also added "ad" and "as":
flags:lo,ua,ad,as
naflags:lo,ua,ad,as
plugin:name=audit_syslog.so.1; p_flags=lo,ua,ad,as
But still nothing about useradd, userdel.
Just to note that if I add "ex" useradd, userdell get loged as commands but thats not what I want, as I it logs every command I run and I just want operations on users to get logged.
I have not had a chance to work on this in the past few days. During my last session I got no farther than you in making this work. From everything I've read simply using ua should include useradd/del commands. Either it's a bug or we don't understand it correctly and neither does anyone else on the Internet reachable by Google. I'll continue my work when I can and hope for the best.
It says they are not really looking at a fix for this and the workaround is to use pfexec. I don't really like the workaround. I really wish they would fix this.
I've never used auditreduce (must take a look!), I do:
# cd /var/audit
# ls -latr | tail -5
Note newest file.
# praudit -l <latestauditfile>
The other thing you can do for testing is:
# tail -f <latestauditfile> | praudit -l
in one window while you do useradd, userdel etc. in another window and watch for the lines being added.
The currently used audit file will not have a termination date and time as part of the file name.