|
|
User audit criteria can be set with either the auditset, useradd, or usermod commands. Each method has a different effect on the user's audit criteria.
The auditset command sets the user audit criteria dynamically; the changes take effect immediately during the user's current login session. However, the settings are in effect only until the user no longer owns any active processes on the system; that is, the user is not logged in to the system, and has no cron jobs running. If the user logs out from all of their current sessions, and has no cron jobs running, and then logs in again, the audit criteria are no longer in effect. The mask is instead taken from the /etc/security/ia/audit and /etc/security/ia/master files, which are managed by the useradd and usermod commands. To set user audit criteria, via the auditset command, the specified user(s) must be currently logged in.
The useradd or usermod commands set the user audit criteria statically; the changes take effect the next time the user logs in. However, if the user already owned processes on the system, either because they were currently logged in from somewhere else, or because cron was running a job for them, then the audit criteria for the already active processes would apply to the new processes as well. The new user audit criteria is in effect for every subsequent login session until the usermod command is invoked again.
In general, you will use useradd or usermod if there is a set of events that you always want to audit for a given user. You can then use auditset to add events to the user audit criteria to meet special needs. For example, if you suspect that a malicious user has guessed the password for the user wts and has logged in as that user, you could use the auditsetcommand to start auditing all events for the user wts immediately. You could then monitor that user's activities and determine if there had indeed been a breach of security.
The user audit criteria are unaffected by changes in effective user ID, such as when a user changes their effective user ID by using the su(1M) command.
The -e, -a and -u options of the auditset command are used to set user audit criteria. The -e option, like the -s option, requires an event list as its option argument. The keywords all and none and the operators described in ``Operators used in setting auditable events'', are also valid with the -e option. The -u or the -a option must be used with the -e option. The -a option sets audit criteria for all active users on the system, while the -u option sets audit criteria for a specified active user(s).
The argument to -u is either a single user name or a list of user names, each separated by a comma but not a space. (You can use either numeric user IDs or user names.)
For example,
to audit all file creations by the user
aeb,
use the following command:
auditset -u aeb -e file_make
The preceding command replaces the audit criteria for this user with the events in the file_make event class.
To add the set_uid event to the audit criteria for users
aeb
and
xyz
use the following command:
auditset -u aeb,xyz -e +set_uid
As mentioned, auditset -e, -u and -a set user audit criteria dynamically and thus effect only current existing processes owned by that user, including all current login sessions for that user, and any cron jobs for that user that may be executing at that time. Any new processes created while such processes exist will also have the same criteria. To set audit criteria for all future login sessions for a user, you need to use the -a option of the useradd or usermod commands.
The useradd command is used to add a new user to the system. It adds a new user entry to the /etc/passwd file and can also create a default user event mask for a new user if you specify the -a option. The argument to this option is either a single event or a list of events, each separated by a comma but not a space. Event classes may also be used as input to the -a option. You cannot use operators in front of the event(s) with the -a option of useradd.
For example, to add
dhh
as a new user with all directory creation events audited,
use the following command:
useradd . . . -a dir_make dhh
The ellipsis (. . .) indicates that you would normally specify other options which are not related to auditing. For more information, see useradd(1M).
The usermod command can be used to change users' login information after they have been added to the system. To modify the default user event mask or to add one for an existing user, use the -a option of usermod. The argument to this option is either a single event or a list of events, each separated by a comma but not a space. Event classes may also be used as input to the -a option.
For example, earlier the user
dhh
was added to the system, with
a user event mask that audited all directory creations (specified by the
dir_make
event class).
If you want to change the user event mask
to audit all file creations
instead of all directory creations,
enter the following command:
usermod -a file_make dhh
You can use operators described in ``Operators used in setting auditable events'', with the -a option of usermod. For example, assume that after you used useradd to add the user dhh with a user event mask that audited all directory creations (specified by the dir_make event class) you wanted to change the user event mask to include all file creations as well as directory creations.
To change the user event mask for the user
dhh
use the following command:
usermod -a +file_make dhh
Because the + operator is used, this command adds the events defined by the file_make event class to the existing audit criteria for the user dhh.
The following sequence will allow you to set a default audit mask for all users:
defadm useradd AUDIT_MASK=event list
rm /etc/security/ia/audit
auditcnv
creatiadb
You can repeat this as necessary if you decide to change the event list. This should be performed when the system is in single-user mode.