svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
ars(7)
Standards, Environments, Macros, Character Sets, and miscellany
ars(7)
NAME
ars - receive Solaris audit logs from a remote server
SYNOPSIS
/usr/sbin/auditd
DESCRIPTION
Audit Remote Server (ARS) is the counterpart of the audit_remote(7)
plugin. Data sent by the plugin can be captured, processed, and stored
by the server according to the its configuration.
ARS is delivered as a disabled Solaris audit component. It is necessary
to configure ARS before it can be used to process a remote audit trail.
ARS configuration is twofold:
o the underlying security mechanisms used for secure audit
data transport has to be configured (see audit_remote(7));
o the audit remote subsystem has to be configured.
To observe and configure the ARS, use the auditconfig(8) -setremote
and -getremote options. The configuration is divided between the con‐
figuration of server and group. The server configuration allows for
changing common ARS parameters, while the group keyword allows configu‐
ration of connection groups, the sets of hosts sharing the same local
storage parameters.
Server configuration attributes
listen_address
The address the server listens on. An empty listen_address
attribute defaults to listen on all local addresses.
listen_port
The local listening port; 0 defaults to 16162, the port associated
with the "solaris-audit" Internet service name. See services(5).
login_grace_time
The server disconnects after login grace time (in seconds) if the
connection has not been successfully established; 0 defaults to no
limit.
max_startups
The number of concurrent unauthenticated connections to the server
at which the server starts refusing new connections. The value may
be specified in begin:rate:full format to allow random early drop
mode, for example 10:30:60, meaning that ARS would refuse connec‐
tion attempts with a probability of rate/100 (30% in our example)
if there are currently 10 (from the begin field) unauthenticated
connections. The probability increases linearly and all connection
attempts are refused if the number of unauthenticated connections
reaches full (60 in our example).
Group configuration attributes
The binfile_dir, binfile_fsize, and binfile_minfree attributes follow
the respective p_* attributes defined in audit_binfile(7). The p_flags
attribute can be specified to filter the audit data being passed to the
configured plugin. Brief descriptions follow.
binfile_dir
The directory for storing per host audit data.
binfile_fsize
The maximum size of each of the stored audit trail files; 0 speci‐
fies no limit.
binfile_minfree
The minimum free space on the file system with binfile_dir before
the audit_binfile informs the administrator via audit_warn(8); 0
specifies no limit.
hosts
The hosts in the given connection group allowed to send audit data
to server. A comma is a delimiter in case of multiple host entries.
If hosts is empty, such connection group is called a wild card con‐
nection group. If a new connection cannot be classified to any
other (non-wild card) connection group and there is an active wild
card connection group configured, the new connection is classified
to that connection group. Only one active wild card connection
group can be configured.
p_flags
The audit classes which audit events must belong to in order to be
passed on to the currently configured auditd plugin. If p_flags is
not specified or if no value has been assigned to p_flags then the
default value is all for all audit records. The syntax for specify‐
ing audit flags is defined in audit_flags(7).
EXAMPLES
Example 1 Audit Remote Server configuration
The following example describes steps to configure audit remote server
to listen on specific address. One wild card and one non-wild card con‐
nection group will be created. The non-wild card connection group con‐
figuration will address remote audit data from tic.cz.example.com and
tac.us.example.com, the trail will be stored in /var/audit/remote.
# Print the current audit remote server configuration.
# Both server and connection groups (if any) is displayed.
auditconfig -getremote
# Set address the audit remote server will listen on.
auditconfig -setremote server "listen_address=192.168.0.1"
# Create two connection groups. Note that by default the
# connection group is created with no hosts specified
# (wild card connection group).
auditconfig -setremote group create clockhouse
auditconfig -setremote group create sink
# Add hosts to the connection group (convert the wild card
# connection group no non-wild card one). Set the storage
# directory and activate the connection group.
auditconfig -setremote group active clockhouse \
"hosts=tic.cz.example.com,tac.us.example.com;
binfile_dir=/var/audit/remote"
# Activate the wild card connection group.
auditconfig -setremote group active sink
# Verify the audit remote server configuration.
auditconfig -getremote
# Start or refresh the audit service.
audit -s
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilitysystem/core-os _ Interface StabilityCommit‐
ted
SEE ALSO
services(5), attributes(7), audit_binfile(7), smf(7), audit(8),
audit_warn(8), auditconfig(8), auditd(8)
Managing Auditing in Oracle Solaris 11.4
NOTES
The audit service FMRI is svc:/system/auditd:default.
Oracle Solaris 11.4 21 Jun 2021 ars(7)