HI Community,
how can i configure audit logs for global zones and standard zone. i have enabled and started auditd service and it went to maintenance mode. please help me to configure that
Thanks & Regards,
BEn
HI Community,
how can i configure audit logs for global zones and standard zone. i have enabled and started auditd service and it went to maintenance mode. please help me to configure that
Thanks & Regards,
BEn
Well, this is often many-pronged problem.
Assuming Solaris 11 and you ran audit -s
and auditconfig +somezone
and several other steps, what do these commands show when run in the global zone?
audit -s
auditconfig -getpolicy
auditconfig -getqctrl
auditconfig -getplugin
Hi
Thanks for reply
Actually my os is solaris 10. Does this solaris 10 requires any reboot to enable audit logs ?
Regards
Ben
Well, some differences are there for 11 vs 10.
Can you quickly outline what you did? Instead of me assuming things....
also most of those commands will work as needed, so please show output as requested.
Till now i didn't started anything and i will share outputs tomorrow
http://docs.oracle.com/cd/E19253-01/816-4557/audittask-44/index.html follow the task map.
This is the first step in setting up audit. There are several it is not just a simple matter of starting auditd - which is not what you should do anyway.
Ok thanks . The thing is somewhere i read to enable audit, system reboot is required thats the reason i asked. I willl try and let you know the status.
Hi Sorry for the late replay.
while trying to issue above command, i m getting below errors and my service is in maintenance mode
bash-3.2# audit -s
audit: Cannot read audit policy: Invalid argument
bash-3.2# auditconfig -getpolicy
auditconfig: auditon(2) failed.
auditconfig: error = Invalid argument(22)
bash-3.2# auditconfig -getqctrl
auditconfig: auditon(2) failed.
auditconfig: error = Invalid argument(22)
bash-3.2# auditconfig -getplugin
usage: auditconfig option ...
-aconf
-audit event sorf retval string
-chkaconf
-chkconf
-conf
-getasid
-getaudit
-getauid
-getcar
-getclass event
-getcond
-getcwd
-getestate event
-getfsize
-getkaudit
-getkmask
-getpinfo pid
-getpolicy
-getqbufsz
-getqctrl
-getqdelay
-getqhiwater
-getqlowater
-getstat
-gettid
-lsevent
-lspolicy
-setasid asid [cmd]
-setaudit auid audit_flags termid asid [cmd]
-setauid auid [cmd]
-setclass event audit_flags
-setfsize filesize
-setkaudit type IP_address
-setkmask audit_flags
-setpmask pid audit_flags
-setpolicy [+|-]policy_flags
-setqbufsz bufsz
-setqctrl hiwater lowater bufsz delay
-setqdelay delay
-setqhiwater hiwater
-setqlowater lowater
-setsmask asid audit_flags
-setstat
-setumask user audit_flags
bash-3.2# svcs svc:/system/auditd
STATE STIME FMRI
maintenance 16:40:23 svc:/system/auditd:default
svcs -xv svc:/system/auditd
shows what. It looks like you have a frapped auditd.
Hi
thanks for information.please see below
bash-3.2# svcs -xv auditd
svc:/system/auditd:default (Solaris audit daemon)
State: maintenance since Tue Dec 29 16:40:23 2015
Reason: Start method failed repeatedly, last exited with status 98.
See: http://sun.com/msg/SMF-8000-KS
See: man -M /usr/share/man -s 1M auditd
See: man -M /usr/share/man -s 1M audit
See: /var/svc/log/system-auditd:default.log
Impact: This service is not running.
bash-3.2# cat
^C
bash-3.2# cat /var/svc/log/system-auditd:default.log
[ Feb 13 12:51:00 Disabled. ]
[ Feb 13 12:51:00 Rereading configuration. ]
[ Dec 29 16:40:23 Enabled. ]
[ Dec 29 16:40:23 Executing start method ("/lib/svc/method/svc-auditd") ]
[ Dec 29 16:40:23 Method "start" exited with status 98 ]
[ Dec 29 16:40:23 Executing start method ("/lib/svc/method/svc-auditd") ]
[ Dec 29 16:40:23 Method "start" exited with status 98 ]
[ Dec 29 16:40:23 Executing start method ("/lib/svc/method/svc-auditd") ]
[ Dec 29 16:40:23 Method "start" exited with status 98 ]
[ Dec 29 16:40:23 Stopping for maintenance due to administrative_request. ]
[ Dec 29 16:40:23 Stopping for maintenance due to administrative_request. ]
[ Dec 29 16:40:23 Stopping for maintenance due to administrative_request. ]
[ Dec 29 16:40:23 Stopping for maintenance due to administrative_request. ]
[ Dec 29 16:40:23 Stopping for maintenance due to administrative_request. ]
[ Dec 29 16:40:23 Stopping for maintenance due to administrative_request. ]
bash-3.2# svcs -l auditd
fmri svc:/system/auditd:default
name Solaris audit daemon
enabled true
state maintenance
next_state none
state_time Tue Dec 29 16:40:23 2015
logfile /var/svc/log/system-auditd:default.log
restarter svc:/system/svc/restarter:default
contract_id
dependency require_all/none svc:/system/filesystem/local (online)
dependency require_all/none svc:/milestone/name-services (online)
dependency require_all/none svc:/system/system-log (online)