Randy,
> I'm wondering what Solaris auditing enhancements (if any) might come to
> improve granularity.
I believe I did touch on the various points in this email yesterday.
There are a couple that I'd like to further comment on.
> At least a few times a year, customers will approach me asking about how they
> can better manage their Solaris BSM audit data. Specifically, they want to
> reduce the volume of audit data down to the "meaningful" events.
All the audit events (audit_event(4)) can be mapped or remapped
into audit classes (audit_class(4)) at the discretion of the
local audit administrator. What Solaris ships is a guess on
our part of a reasonable mapping. If local sites modify these
files to suit their needs, those modifications are preserved
across upgrade.
> The current Solaris auditing system (as I know it) supports "global" and
> "per-user" audit policies, but there doesn't appear to be any way to affect
> a file
Correct as I noted last mail. Except for the ``public''
policy configuration option. However it applies to all files.
> or process-specific audit policy,
I'm not sure what is meant here. A process will audit based on
the global and per-user attributes of the processes starting audit
id. A process's audit characteristics may be modified during
its lifetime by auditconfig -setpmask/-setsmask/-setumask command.
Please follow up on what is meant here.
> at least not without a (third-party) user-space tool.
See auditconfig(1M) as shipped with Solaris.
> My primary "requirement": to affect different audit policies on files while
> minimizing complexity and performance degradation.
Perhaps remapping events and ensuring the public policy is set
will help here.
> A less important "requirement": to affect different audit policies for
> various security "zones" (Solaris 10, etc.).
Each zone may have its own audit configuration when the perzone
audit policy is set by auditconfig. This can be configured in
the global zone's audit_startup(1M).
> Possibly file system auditing attributes (similar to SACLs in NTFS)?
As I said in my last mail, it's under consideration.
> Any feedback would be appreciated. Thanks!
Hope this was helpful and you'll follow up on what you meant by
``process-specific audit policy''.
Cheers,
Gary..
