Configuring auditing

Auditing NIS users

When a user logs in who is authenticated locally and not through NIS, the auditing subsystem retrieves their audit event mask from a secure database on the local machine and registers it with the kernel. The audit event mask determines the events for which the user will be audited.

When an NIS user logs in, the auditing subsystem instead attempts to retrieve the user's audit event mask from the NIS map, auditmask.byname, which is held on an NIS master or slave server.

You cannot use the auditcnv(1M) command to create the audit event mask file for an NIS user on an audited NIS client. Follow the procedure given in this section to create a map for the audit event mask on the NIS master server and then propagate this to the other NIS slave servers.

WARNING: If you do not create a map for audit event masks, NIS users will be allowed to log in. They will not be audited, however, because the Authentication and Identification (I&A) database will be unable to register an audit event mask for them. The auditrpt(1M) command will also fail if it cannot find an audit event mask for an NIS user who is logged into the system.

To set up the NIS map for audit event masks, perform the following steps as root on the master server:

You must first prepare the input file for the NIS map. The variable DIR in /var/yp/Makefile defines the source directory for input files. For example, if DIR is defined as /var/yp, the pathname of the input file for the event mask map should be /var/yp/auditmask.byname.
Each user to be audited must have an entry in the input file with the following format:

username<Tab>audit_event[,audit_event]...
You can specify individual audit events or audit event classes (defined in /etc/security/audit/classes) to reference groups of events. See ``Auditable events'' for more information.
The following is an example entry for an NIS user:
```
brian	id_auth,file_make
```
This would allow the ad_auth, bad_lvl, create, cron, def_lvl, link, login, mk_node, passwd, sym_create, and unlink events to be audited for the NIS user brian.

Having created the input file for the audit event mask map, modify /var/yp/Makefile as follows:

a.

Add auditmask.byname to the ``all'' rule in the Makefile, as shown in this example:

all:    ypservers passwd group hosts ethers networks \
        rpc services protocols netgroup aliases \
        publickey netid netmasks TIMEZONE bootparams \
        auditmask.byname

b.

Add an entry for the database to the middle of the Makefile, as shown in this example:

auditmask.byname.time:  $(DIR)/auditmask.byname
        @if [ -f $(DIR)/auditmask.byname ]; then \
                sed -e "/^#/d" -e s/#.*$$// $(DIR)/auditmask.byname \
                | $(MAKEDBM) - $(YPDBDIR)/$(DOM)/auditmask.byname;
                touch auditmask.byname.time; \
                $(ECHO)40 "updated auditmask.byname\n"; \
                if [ ! $(NOPUSH) ]; then \
                        $(YPPUSH) auditmask.byname; \
                        $(ECHO)41 "pushed auditmask.byname\n"; \
                fi \
        else \
                $(ECHO)42 "could not find $(DIR)/auditmask.byname\n"; \
        fi

The sed script eliminates comment and empty lines and feeds the output to makedbm.

c.

Add a dependency line for auditmask.byname to the end of the Makefile, as shown in this example:

auditmask.byname: 	auditmask.byname.time

Having created an entry for the auditmask.byname map in the Makefile, make the map and push it out to other NIS servers using ypbuild(1Mnis):

cd /var/yp ; ./ypbuild SHELL=/sbin/sh auditmask.byname

Once the auditmask.byname map has been built and pushed, it should now be available for use with audited NIS users.

If you subsequently need to change the audit event mask for an NIS user, edit the auditmask.byname input file on the master server, and then use ypbuild to rebuild and propagate the map.