svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
audit_syslog(7)
Standards, Environments, Macros, Character Sets, and miscellany
audit_syslog(7)
NAME
audit_syslog - realtime conversion of Solaris audit data to syslog mes‐
sages
SYNOPSIS
/usr/lib/security/audit_syslog.so
DESCRIPTION
The audit_syslog plugin module for Solaris audit, /usr/lib/secu‐
rity/audit_syslog.so, provides realtime conversion of Solaris audit
data to syslog-formatted (text) data and sends it to a syslog daemon as
configured in the rsyslog.conf. The plugin's path is specified with the
auditconfig(8) utility.
Messages to syslog are written if the plugin is configured as active
via auditconfig. Use the auditconfig -setplugin option to change all
the plugin related configuration parameters. Syslog messages are gener‐
ated with the facility code of LOG_AUDIT (audit in rsyslog.conf) and
severity of LOG_NOTICE. Audit syslog messages contain data selected
from the tokens described for the binary audit log. (See audit.log(5)).
As with all syslog messages, each line in a syslog file consists of two
parts, a syslog header and a message.
The syslog header contains the date and time the message was generated,
the host name from which it was sent, auditd to indicate that it was
generated by the audit daemon, an ID field used internally by rsyslogd,
and audit.notice indicating the syslog facility and severity values.
The syslog header ends with the characters ], that is, a closing square
bracket and a space.
The message part starts with the event type from the header token. All
subsequent data appears only if contained in the original audit record
and there is room in the 1024-byte maximum length syslog line. In the
following example, the backslash (\) indicates a continuation; actual
syslog messages are contained on one line:
Oct 31 11:38:08 smothers auditd: [ID 917521 audit.notice] chdir(2) ok\
session 401 by joeuser as root:other from myultra obj /export/home
In the preceding example, chdir(2) is the event type. Following this
field is additional data, described below. This data is omitted if it
is not contained in the source audit record.
ok or failed Comes from the return or exit token.
session <#> <#> is the session ID from the subject token.
by <name> <name> is the audit ID from the subject token.
as <name>:<group> <name> is the effective user ID and <group> is
the effective group ID from the subject token.
in <zone name> The zone name. This field is generated only if
the zonename audit policy is set.
from <terminal> <terminal> is the text machine address from the
subject token.
obj <path> <path> is the path from the path token The path
can be truncated from the left if necessary to
fit it on the line. Truncation is indicated by
leading ellipsis (...).
proc_uid <owner> <owner> is the effective user ID of the process
owner.
proc_auid <owner> <owner> is the audit ID of the process owner.
argv <arguments> Listed are the execv(2) system call parameter
arguments from the exec_args token.
Arguments can be truncated from the right if nec‐
essary to fit them on the line. Truncation is
indicated by trailing ellipsis (...).
arge <arguments> Listed are the execv(2) system call environment
arguments from the exec_env token.
Arguments can be truncated from the right if nec‐
essary to fit them on the line. Truncation is
indicated by trailing ellipsis (...).
The following are example syslog messages:
Nov 4 8:27:07 smothers auditd: [ID 175219 audit.notice] \
system booted
Nov 4 9:28:17 smothers auditd: [ID 752191 audit.notice] \
login - rlogin ok session 401 by joeuser as joeuser:staff from myultra
Nov 4 10:29:27 smothers auditd: [ID 521917 audit.notice] \
access(2) ok session 255 by janeuser as janeuser:staff from \
129.146.89.30 obj /etc/passwd
OBJECT ATTRIBUTES
The p_flag attribute is used to further filter audit data being sent to
the rsyslog daemon beyond the classes specified through the flags and
naflags (see auditconfig(8)) and through the user-specific lines of
user_attr(5). The parameter is a comma-separated list; each item repre‐
sents an audit class (see audit_class(5)) and is specified using the
syntax described in audit_flags(7). The default (empty p_flags listed)
is that no audit records are generated.
The p_cache_ttl attribute is used to specify the time in seconds that a
cached name-service value (uid, gid, hostname) can be reused. The
default value is 1800 seconds, which is half the default cache ttl that
nscd(8) uses.
EXAMPLES
Example 1 One Use of the plugin Line
In the specification shown below, the plugin (in conjunction with set‐
ting flags and naflags) is used to allow class records for lo but
allows class records for am for failures only. Omission of the fm class
records results in no fm class records being output. The pc parameter
has no effect because you cannot add classes to those defined by means
of flags and naflags and by user_attr(5). You can only remove them.
auditconfig -setflags lo,am,fm
auditconfig -setnaflags lo
auditconfig -setplugin audit_syslog active "p_flags=lo,-am,pc"
Example 2 Use of all
In the specification shown below, with one exception, all allows all
flags defined by means of flags and naflags (and user_attr(5)). The
exception the am metaclass, which is equivalent to ss,as,ua, which is
modified to output all ua events but only failure events for ss and as.
auditconfig -setflags lo,am
auditconfig -setnaflags lo
auditconfig -setplugin audit_syslog active "p_flags=all,^+ss,^+as"
In this example, some successful audit events in the ss or as class
that may be in multiple classes may still be included in the syslog
output.
ATTRIBUTES
See attributes(7) for a description of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilitysystem/library _ Interface StabilitySee
below
The message format and message content are Uncommitted. The configura‐
tion parameters are Committed.
SEE ALSO
audit_class(5), user_attr(5), attributes(7), audit_flags(7), auditcon‐
fig(8), auditd(8), rsyslogd(8)
NOTES
Activating the audit_syslog plugin requires that /etc/rsyslog.conf is
configured to store syslog messages of facility audit and severity
notice or above in a file intended for Solaris audit records. An exam‐
ple of such a line in rsyslog.conf is:
audit.notice /var/audit/audit.log
By default messages from syslog are sent to remote syslog servers by
means of UDP, which does not guarantee delivery or ensure the correct
order of arrival of messages. The rsyslogd daemon can be configured to
use a TCP based transport (plain TCP syslog, RELP) instead of UDP. For
more information, see https://www.rsyslog.com/doc and the rsyslogd(8)
man page.
If the parameters specified for the plugin line result in no classes
being preselected, an error is reported by means of a syslog alert with
the LOG_DAEMON facility code.
The audit_syslog is not a substitute for audit_binfile(7) or
audit_remote(7). Only a limited set of tokens are included in the sys‐
log message. Use the audit trail files (audit.log(5)) to obtain full
audit records.
The time field in the syslog header is generated by syslog(3C) and only
approximates the time given in the binary audit log. Normally the time
field shows the same whole second or at most a few seconds difference.
Oracle Solaris 11.4 21 Jun 2021 audit_syslog(7)