There are a few differences, but should not matter with BSM.
One is a U40 AMD, the other is a U80 SPARC.
Both systems have a different (working) label_encodings file.
Once system (working) tracks arge in addition.
One system has a secondary audit dir on zfs, but is not currently
being used.
/etc/security/audit_startup
/usr/sbin/auditconfig -setpolicy +cnt,zonename,arge,argv,seq
/usr/sbin/auditconfig -conf
/usr/sbin/auditconfig -acon
/etc/security/audit_control
dir:/var/audit
flags:lo,na,ad,ap
minfree:20
naflags:lo
plugin: name=audit_syslog.so;p_flags=lo,+ad
/etc/security/audit_user
root:lo:no
me:lo,ad,fd,fc,ex:no
You asked for auditconfig -lspolicy, but I assume you ment
auditconfig -getpolicy. Included both just in case.
Working System U40
[ifconfig -a]
# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu
8232 index 1
inet 127.0.0.1 netmask ff000000
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL>
mtu 8232 index 1
zone SLALPHA
inet 127.0.0.1 netmask ff000000
lo0:2: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL>
mtu 8232 index 1
zone PUBLIC
inet 127.0.0.1 netmask ff000000
lo0:3: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL>
mtu 8232 index 1
zone SL
inet 127.0.0.1 netmask ff000000
lo0:4: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL>
mtu 8232 index 1
zone SLBRAVO
inet 127.0.0.1 netmask ff000000
lo0:5: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL>
mtu 8232 index 1
zone SLCHARLEY
inet 127.0.0.1 netmask ff000000
nge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500
index 2
all-zones
inet 192.168.15.99 netmask ffffff00 broadcast 192.168.15.255
ether 0:14:4f:3b:8d:60
nge0:3: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500
index 2
inet 192.168.15.98 netmask ffffff00 broadcast 192.168.15.255
[Loaded Policies]
auditconfig -getpolicy
audit policies = arge,argv,cnt,seq,zonename
[List Available Policies]
auditconfig -lspolicy
policy string description:
ahlt halt machine if it can not record an async event
all all policies
arge include exec environment args in audit recs
argv include exec command line args in audit recs
cnt when no more space, drop recs and keep a cnt
group include supplementary groups in audit recs
none no policies
path allow multiple paths per event
perzone use a separate queue and auditd per zone
public audit public files
seq include a sequence number in audit recs
trail include trailer token in audit recs
windata_down include downgraded window information in audit recs
windata_up include upgraded window information in audit recs
zonename generate zonename token
Broken System: U80
[ifconfig -a]
ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu
8232 index 1
inet 127.0.0.1 netmask ff000000
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL>
mtu 8232 index 1
zone tsolmro1
inet 127.0.0.1 netmask ff000000
hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500
index 2
all-zones
inet 172.26.20.14 netmask ffff0000 broadcast 172.26.255.255
ether 8:0:20:f7:c6:59
hme0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500
index 2
zone tsolmro1
inet 172.26.20.160 netmask ffff0000 broadcast 172.26.255.255
[List Loaded Policies]
auditconfig -getpolicy
audit policies = argv,cnt,seq,zonename
[List Available Policies]
auditconfig -lspolicy
policy string description:
ahlt halt machine if it can not record an async event
all all policies
arge include exec environment args in audit recs
argv include exec command line args in audit recs
cnt when no more space, drop recs and keep a cnt
group include supplementary groups in audit recs
none no policies
path allow multiple paths per event
perzone use a separate queue and auditd per zone
public audit public files
seq include a sequence number in audit recs
trail include trailer token in audit recs
windata_down include downgraded window information in audit recs
windata_up include upgraded window information in audit recs
zonename generate zonename token
On May 18, 2007, at 4:19 AM, Darren J Moffat wrote:
> Robert Bailey wrote:
>> I was wondering if anyone has run into this. I have two TX
>> systems, each with the same BSM configuration, that has zonename
>> enabled.
>> On one TX system I have my local zones configured to run without
>> IP addreses. In the global, there is one IP for all-zones, one
>> without the all-zones tag. This system can report via BSM, on all
>> transactions within a local zone.
>> The second system, has the same BSM configuration, but for the
>> local zone configuration there is an IP on the local zone, the
>> global has one with an all-zones. This system does not report any
>> audit trail for the local zone except for one entry for zoneadmd.
>
> Can you send the output of `auditconfig -lspolicy` for both machines.
> Also ifconfig -a from the global zone for both machines.
>
> If I understand correctly you have: `auditconfig -setpolicy
> +zonename` for both but have only a global zone audit log configured ?
>
>
>
> --
> Darren J Moffat
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/security-discuss/attachments/20070518/e8d36954/attachment.html>
