How can i enable audit logs for global zone and standard zones?

bentech4u · November 23, 2015, 12:01am

HI Community,

how can i configure audit logs for global zones and standard zone. i have enabled and started auditd service and it went to maintenance mode. please help me to configure that

Thanks & Regards,
BEn

jim_mcnamara · November 24, 2015, 9:09am

Well, this is often many-pronged problem.

Assuming Solaris 11 and you ran audit -s and auditconfig +somezone and several other steps, what do these commands show when run in the global zone?

audit -s
auditconfig -getpolicy
auditconfig -getqctrl
auditconfig -getplugin

bentech4u · November 24, 2015, 9:20am

Hi

Thanks for reply

Actually my os is solaris 10. Does this solaris 10 requires any reboot to enable audit logs ?

Regards
Ben

jim_mcnamara · November 24, 2015, 11:02am

Well, some differences are there for 11 vs 10.

Can you quickly outline what you did? Instead of me assuming things....

also most of those commands will work as needed, so please show output as requested.

bentech4u · November 24, 2015, 1:08pm

Till now i didn't started anything and i will share outputs tomorrow

jim_mcnamara · November 24, 2015, 2:41pm

http://docs.oracle.com/cd/E19253-01/816-4557/audittask-44/index.html follow the task map.

This is the first step in setting up audit. There are several it is not just a simple matter of starting auditd - which is not what you should do anyway.

bentech4u · November 24, 2015, 11:12pm

Ok thanks . The thing is somewhere i read to enable audit, system reboot is required thats the reason i asked. I willl try and let you know the status.

bentech4u · December 29, 2015, 8:41am

Hi Sorry for the late replay.

while trying to issue above command, i m getting below errors and my service is in maintenance mode

bash-3.2# audit -s
audit: Cannot read audit policy:  Invalid argument
bash-3.2# auditconfig -getpolicy
auditconfig: auditon(2) failed.
auditconfig: error = Invalid argument(22)
bash-3.2# auditconfig -getqctrl
auditconfig: auditon(2) failed.
auditconfig: error = Invalid argument(22)
bash-3.2# auditconfig -getplugin
usage: auditconfig option ...
 -aconf
 -audit event sorf retval string
 -chkaconf
 -chkconf
 -conf
 -getasid
 -getaudit
 -getauid
 -getcar
 -getclass event
 -getcond
 -getcwd
 -getestate event
 -getfsize
 -getkaudit
 -getkmask
 -getpinfo pid
 -getpolicy
 -getqbufsz
 -getqctrl
 -getqdelay
 -getqhiwater
 -getqlowater
 -getstat
 -gettid
 -lsevent
 -lspolicy
 -setasid asid [cmd]
 -setaudit auid audit_flags termid asid [cmd]
 -setauid auid [cmd]
 -setclass event audit_flags
 -setfsize filesize
 -setkaudit type IP_address
 -setkmask audit_flags
 -setpmask pid audit_flags
 -setpolicy [+|-]policy_flags
 -setqbufsz bufsz
 -setqctrl hiwater lowater bufsz delay
 -setqdelay delay
 -setqhiwater hiwater
 -setqlowater lowater
 -setsmask asid audit_flags
 -setstat
 -setumask user audit_flags
bash-3.2# svcs svc:/system/auditd
STATE          STIME    FMRI
maintenance    16:40:23 svc:/system/auditd:default

jim_mcnamara · December 29, 2015, 6:26pm

svcs -xv svc:/system/auditd

shows what. It looks like you have a frapped auditd.

bentech4u · December 29, 2015, 11:58pm

Hi

thanks for information.please see below

bash-3.2# svcs -xv auditd
svc:/system/auditd:default (Solaris audit daemon)
 State: maintenance since Tue Dec 29 16:40:23 2015
Reason: Start method failed repeatedly, last exited with status 98.
   See: http://sun.com/msg/SMF-8000-KS
   See: man -M /usr/share/man -s 1M auditd
   See: man -M /usr/share/man -s 1M audit
   See: /var/svc/log/system-auditd:default.log
Impact: This service is not running.
bash-3.2# cat
^C
bash-3.2# cat /var/svc/log/system-auditd:default.log
[ Feb 13 12:51:00 Disabled. ]
[ Feb 13 12:51:00 Rereading configuration. ]
[ Dec 29 16:40:23 Enabled. ]
[ Dec 29 16:40:23 Executing start method ("/lib/svc/method/svc-auditd") ]
[ Dec 29 16:40:23 Method "start" exited with status 98 ]
[ Dec 29 16:40:23 Executing start method ("/lib/svc/method/svc-auditd") ]
[ Dec 29 16:40:23 Method "start" exited with status 98 ]
[ Dec 29 16:40:23 Executing start method ("/lib/svc/method/svc-auditd") ]
[ Dec 29 16:40:23 Method "start" exited with status 98 ]
[ Dec 29 16:40:23 Stopping for maintenance due to administrative_request. ]
[ Dec 29 16:40:23 Stopping for maintenance due to administrative_request. ]
[ Dec 29 16:40:23 Stopping for maintenance due to administrative_request. ]
[ Dec 29 16:40:23 Stopping for maintenance due to administrative_request. ]
[ Dec 29 16:40:23 Stopping for maintenance due to administrative_request. ]
[ Dec 29 16:40:23 Stopping for maintenance due to administrative_request. ]

bash-3.2# svcs -l auditd
fmri         svc:/system/auditd:default
name         Solaris audit daemon
enabled      true
state        maintenance
next_state   none
state_time   Tue Dec 29 16:40:23 2015
logfile      /var/svc/log/system-auditd:default.log
restarter    svc:/system/svc/restarter:default
contract_id
dependency   require_all/none svc:/system/filesystem/local (online)
dependency   require_all/none svc:/milestone/name-services (online)
dependency   require_all/none svc:/system/system-log (online)