Per File Auditing

Another cool improvement that the engineering added to Solaris 11.4 is the ability to set auditing for for single files.
chmod(1) received another ACE type called audit.
Use the chmod command like you are used to with for example ACLs and just decide on the permissions you want to audit, use audit instead of e.g. allow and(et) voilà, per file auditing is set.
In the following I created a file named pfa.file.
After I set the PFA via the chmod command you can see auditing has been set for everyone’s reads and writes.
As a regular user, in this case muehle, I don’t have permission to write.
Whereas root and owner in this case I can write to the file.
The corresponding entries in the audit trail are below that first example.

root@wacken:~# touch /var/tmp/pfa.file
root@wacken:~# ls -V /var/tmp/pfa.file
-rw-r--r--   1 root     root           0 Feb 27 12:49 /var/tmp/pfa.file
                 owner@:rw-p--aARWcCos:-------:allow
                 group@:r-----a-R-c--s:-------:allow
              everyone@:r-----a-R-c--s:-------:allow
root@wacken:~# chmod A+everyone@:write_data/read_data:successful_access/failed_access:audit /var/tmp/pfa.file
root@wacken:~# ls -V /var/tmp/pfa.file
-rw-r--r--   1 root     root           0 Feb 27 12:49 /var/tmp/pfa.file
              everyone@:rw------------:----SF-:audit
                 owner@:rw-p--aARWcCos:-------:allow
                 group@:r-----a-R-c--s:-------:allow
              everyone@:r-----a-R-c--s:-------:allow
root@wacken:~# su - muehle
Oracle Corporation      SunOS 5.11      st_015.server   February 2018
You have new mail.
L muehle@wacken % echo "TEST STRING" >> /var/tmp/pfa.file                                   /export/home/muehle 0
zsh: permission denied: /var/tmp/pfa.file
L muehle@wacken %                                                                           /export/home/muehle 1
root@wacken:~# echo "TEST STRING" >> /var/tmp/pfa.file

Audit output:

root@wacken:~# tail -0f /var/share/audit/20180227084517.not_terminated.wacken|praudit -s
header,97,2,AUE_su,,wacken,2018-02-27 12:55:22.317+01:00
subject,muehle,muehle,staff,muehle,staff,1666,1608065368,151 1 10.211.55.2
return,success,0
header,122,2,AUE_OPEN_WC,ace:fp:fe,wacken,2018-02-27 12:55:24.518+01:00
path,/var/tmp/pfa.file
subject,muehle,muehle,staff,muehle,staff,1667,1608065368,151 1 10.211.55.2
use of privilege,failed use of priv,ALL
return,failure: Permission denied,-1
header,97,2,AUE_su_logout,,wacken,2018-02-27 12:55:32.249+01:00
subject,muehle,muehle,staff,muehle,staff,1666,1608065368,151 1 10.211.55.2
return,success,0
header,153,2,AUE_CMD_PRIVS,,wacken,2018-02-27 12:55:32.250+01:00
path,/usr/bin/su
path,/
exec_args,3,su,-,muehle
use of privilege,successful use of priv,sys_res_config
subject,muehle,root,root,root,root,1666,1608065368,151 1 10.211.55.2
return,failure,1
header,147,2,AUE_OPEN_W,ace,wacken,2018-02-27 12:55:35.449+01:00
path,/var/tmp/pfa.file
attribute,100644,root,root,65544,111,18446744073709551615
subject,muehle,root,root,root,root,1303,1608065368,151 1 10.211.55.2
return,success,5

Have fun experimenting with it and enhancing your auditing.

Cheers

Leave a Reply

Your email address will not be published. Required fields are marked *