auditing in Trusted Extensionsreference This chapter describes the additions to auditing that Solaris Trusted Extensions provides.Trusted Extensions and Auditing Audit Management by Role in Trusted Extensions Trusted Extensions Audit Reference auditing in Trusted Extensionsdifferences from Solaris auditing differencesbetween Trusted Extensions and Solaris auditing Trusted Extensionsdifferences from Solaris auditing Solaris OSdifferences from Trusted Extensions auditing similaritiesbetween Trusted Extensions and Solaris auditing Trusted Extensionssimilarities with Solaris auditing Solaris OSsimilarities with Trusted Extensions auditing On a system that is configured with Trusted Extensions software, auditing is configured and is administered similarly to auditing on a Solaris system. However, the following are some differences.Trusted Extensions software adds audit classes, audit events, audit tokens, and audit policy options to the system. By default, auditing is enabled in Trusted Extensions software. Solaris per-zone auditing is not supported. In Trusted Extensions, all zones are audited identically. Trusted Extensions provides administrative tools to administer the users' audit characteristics and to edit audit files. Two roles, System Administrator and Security Administrator, are used to configure and administer auditing in Trusted Extensions.The security administrator plans what to audit and any site-specific, event-to-class mappings. As in the Solaris OS, the system administrator plans disk space requirements for the audit files, creates an audit administration server, and installs audit configuration files. auditing in Trusted Extensionsroles for administering administeringauditing in Trusted Extensions Auditing in Trusted Extensions requires the same planning as in the Solaris OS. For details about planning, see Chapter 29, Planning for Solaris Auditing, in System Administration Guide: Security Services.rolesadministering auditing In Trusted Extensions, auditing is the responsibility of two roles. The System Administrator role sets up the disks and the network of audit storage. The Security Administrator role decides what is to be audited, and specifies the information in the audit configuration files. As in the Solaris OS, you create the roles in software. The rights profiles for these two roles are provided. The initial setup team created the Security Administrator role during initial configuration. For details, see Create the Security Administrator Role in Trusted Extensions.A system only records the security-relevant events that the audit configuration files configure the system to record (that is, by preselection). Therefore, any subsequent audit review can only consider the events that have been recorded. As a result of misconfiguration, attempts to breach the security of the system can go undetected, or the administrator is unable to detect the user who is responsible for an attempted breach of security. Administrators must regularly analyze audit trails to check for breaches of security. auditing in Trusted Extensionstasks The procedures to configure and manage auditing in Trusted Extensions differ slightly from Solaris procedures:Audit configuration is performed in the global zone by one of two administrative roles. Then, the system administrator copies specific customized audit files from the global zone to every labeled zone. By following this procedure, user actions are audited identically in the global zone and in labeled zones.For details, see Audit Tasks of the Security Administrator and Audit Tasks of the System Administrator Trusted Extensions administrators use a trusted editor to edit audit configuration files. In Trusted CDE, Trusted Extensions administrators use CDE actions to invoke the trusted editor. For the list of actions, see Trusted CDE Actions. Trusted Extensions administrators use the Solaris Management Console to configure specific users. User-specific audit characteristics can be specified in this tool. Specifying user characteristics is only required when the user's audit characteristics differ from the audit characteristics of the systems on which the user works. For an introduction to the tool, see Solaris Management Console Tools. tasks and task mapsAudit Tasks of the Security Administrator configuringauditing auditing in Trusted Extensionssecurity administrator tasks Security Administrator roleaudit tasks The following tasks are security-relevant, and are therefore the responsibility of the security administrator. Follow the Solaris instructions, but use the Trusted Extensions administrative tools.Task For Solaris Instructions Trusted Extensions Instructions Configure audit files. Configuring Audit Files (Task Map) in System Administration Guide: Security Services Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions. (Optional) Change default audit policy. How to Configure Audit Policy in System Administration Guide: Security Services Use the trusted editor. Disable and re-enable auditing. How to Disable the Auditing Service in System Administration Guide: Security Services Auditing is enabled by default. Manage auditing. Solaris Auditing (Task Map) in System Administration Guide: Security Services Use the trusted editor.Ignore per-zone audit tasks. Audit Tasks of the System Administrator tasks and task mapsAudit Tasks of the System Administrator auditing in Trusted Extensionssystem administrator tasks System Administrator roleaudit tasks The following tasks are the responsibility of the system administrator. Follow the Solaris instructions, but use the Trusted Extensions administrative tools.Task For Solaris Instructions Trusted Extensions Instructions Create audit partitions and an audit administration server, export audit partitions, and mount audit partitions.Create an audit_warn alias. Configuring and Enabling the Auditing Service (Tasks) in System Administration Guide: Security Services Perform all administration in the global zone.Use the trusted editor. Copy or loopback mount customized audit files to labeled zones. Configuring the Auditing Service in Zones (Tasks) in System Administration Guide: Security Services Copy the files to the first labeled zone, then copy the zone.Or, loopback mount or copy the files to every labeled zone after the zones are created. (Optional) Distribute audit configuration files. No instructions See How to Copy Files From Portable Media in Trusted Extensions Manage auditing. Solaris Auditing (Task Map) in System Administration Guide: Security Services Ignore per-zone audit tasks. System Administrator rolereviewing audit recordsAudit Review profilereviewing audit recordsselectingaudit records by labelaccessingaudit records by labelSelect audit records by label. How to Select Audit Events From the Audit Trail in System Administration Guide: Security Services To select records by label, use the auditreduce command with the l option. Trusted Extensions software adds audit classes, audit events, audit tokens, and audit policy options to the Solaris OS. Several auditing commands are extended to handle labels. Trusted Extensions audit records include a label, as shown in the following figure.

Illustration shows four tokens in order - header, subject, label, and return - that comprise a typical audit record.

auditing in Trusted ExtensionsX audit classes X audit classes audit classes for Trusted Extensionslist of new X audit classes The audit classes that Trusted Extensions software adds to the Solaris OS are listed alphabetically in the following table. The classes are listed in the /etc/security/audit_class file. For more information about audit classes, see the audit_class4 man page.Short Name Long Name Audit Mask xc X - Object create/destroy xc audit class0x00800000 xp X - Privileged/administrative operations xp audit class0x00400000 xs X - Operations that always silently fail, if bad xs audit class0x02000000 xx X - All X events in the xl, xc, xp, and xs classes (meta-class) xx audit class0x03e00000 The X server audit events are mapped to these classes according to the following criteria:xc – This class audits server objects for creation or for destruction. For example, this class audits CreateWindow. xp – This class audits for use of privilege. Privilege use can be successful or unsuccessful. For example, ChangeWindowAttributes is audited when a client attempts to change the attributes of another client's window. This class also includes administrative routines such as SetAccessControl. xs – This class audits routines that do not return X error messages to clients on failure when security attributes cause the failure. For example, GetImage does not return a BadWindow error if it cannot read from a window for lack of privilege.These events should be selected for audit on success only. When xs events are selected for failure, the audit trail fills with irrelevant records. xx – This class includes all of the X audit classes. auditing in Trusted Extensionsadditional audit events audit events for Trusted Extensionslist of Trusted Extensions software adds audit events to the system. The new audit events and the audit classes to which the events belong are listed in the /etc/security/audit_event file. The audit event numbers for Trusted Extensions are between 9000 and 10000. For more information about audit events, see the audit_event4 man page. auditing in Trusted Extensionsadditional audit tokens audit tokens for Trusted Extensionslist of The audit tokens that Trusted Extensions software adds to the Solaris OS are listed alphabetically in the following table. The tokens are also listed in the audit.log4 man page.Token Name Description label Token Sensitivity label xatom Token X window atom identification xclient Token X client identification xcolormap Token X window color information xcursor Token X window cursor information xfont Token X window font information xgc Token X window graphical context information xpixmap Token Xwindow pixel mapping information xproperty Token X window property information xselect Token X window data information xwindow Token X window window information label audit token audit tokens for Trusted Extensionslabel token The label token contains a sensitivity label. This token contains the following fields:A token ID A sensitivity label The following figure shows the token format.

The context describes the graphic.

A label token is displayed by the praudit command as follows:sensitivity label,ADMIN_LOW xatom audit token audit tokens for Trusted Extensionsxatom token The xatom token contains information concerning an X atom. This token contains the following fields:A token ID The string length A text string that identifies the atom An xatom token is displayed by praudit as follows:X atom,_DT_SAVE_MODE xclient audit token audit tokens for Trusted Extensionsxclient token The xclient token contains information concerning the X client. This token contains the following fields:A token ID The client ID An xclient token is displayed by praudit as follows:X client,15 xcolormap audit token audit tokens for Trusted Extensionsxcolormap token The xcolormap token contains information about the colormaps. This token contains the following fields:A token ID The X server identifier The creator's user ID The following figure shows the token format.

The context describes the graphic.

An xcolormap token is displayed by praudit as follows:X color map,0x08c00005,srv xcursor audit token audit tokens for Trusted Extensionsxcursor token The xcursor token contains information about the cursors. This token contains the following fields:A token ID The X server identifier The creator's user ID Figure 24–3 shows the token format.An xcursor token is displayed by praudit as follows:X cursor,0x0f400006,srv xfont audit token audit tokens for Trusted Extensionsxfont token The xfont token contains information about the fonts. This token contains the following fields:A token ID The X server identifier The creator's user ID Figure 24–3 shows the token format.An xfont token is displayed by praudit as follows:X font,0x08c00001,srv xgc audit token audit tokens for Trusted Extensionsxgc token The xgc token contains information about the xgc. This token contains the following fields:A token ID The X server identifier The creator's user ID Figure 24–3 shows the token format.An xgc token is displayed by praudit as follows:Xgraphic context,0x002f2ca0,srv xpixmap audit token audit tokens for Trusted Extensionsxpixmap token The xpixmap token contains information about the pixel mappings. This token contains the following fields:A token ID The X server identifier The creator's user ID Figure 24–3 shows the token format.An xpixmap token is displayed by praudit as follows:X pixmap,0x08c00005,srv xproperty audit token audit tokens for Trusted Extensionsxproperty token The xproperty token contains information about various properties of a window. This token contains the following fields:A token ID The X server identifier The creator's user ID A string length A text string that identifies the atom The following figure shows an xproperty token format.

The context describes the graphic.

An xproperty token is displayed by praudit as follows:X property,0x000075d5,root,_MOTIF_DEFAULT_BINDINGS xselect audit token audit tokens for Trusted Extensionsxselect token The xselect token contains the data that is moved between windows. This data is a byte stream with no assumed internal structure and a property string. This token contains the following fields:A token ID The length of the property string The property string The length of the property type The property type string A length field that gives the number of bytes of data A byte string that contains the data The following figure shows the token format.

The context describes the graphic.

An xselect token is displayed by praudit as follows:X selection,entryfield,halogen xwindow audit token audit tokens for Trusted Extensionsxwindow token The xwindow token contains information about a window. This token contains the following fields:A token ID The X server identifier The creator's user ID Figure 24–3 shows the token format.An xwindow token is displayed by praudit as follows:X window,0x07400001,srv auditing in Trusted Extensionsadditional audit policies security policyauditing audit records in Trusted Extensionspolicy audit policy in Trusted Extensions Trusted Extensions adds two audit policy options to existing Solaris auditing policy options. List the policies to see the additions:$ auditconfig -lspolicy ... windata_down Include downgraded window information in audit records windata_up Include upgraded window information in audit records auditing in Trusted Extensionsadditions to existing auditing commands The auditconfig, auditreduce, and bsmrecord commands are extended to handle Trusted Extensions information:The auditconfig command includes the Trusted Extensions audit policies. For details, see the auditconfig1M man page. The auditreduce command adds the l option for filtering records according to the label. For details, see the auditreduce1M man page. The bsmrecord command includes the Trusted Extensions audit events. For details, see the bsmrecord1M man page.