Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »


SUMMARY

Aug 18, 2015

With the installation of the Snare Enterprise Agent for Solaris, the auditing subsystem is enabled. This may enable plugins that require configuring to suit your organization.

Solaris 10

With Solaris 10, when we install the audit_control file we indicate to use the Snare plugin by default:

#
#ident  @(#)audit_control.txt  1.4     2005/11/24 LJP
#
# audit_control file for snare
#
dir:/var/audit
 flags:ia
minfree:20
naflags:ia
plugin:name=/usr/lib/security/audit_snare.so

If logging to local disk is also required either Snare can be used to log to file in Syslog or Snare format, or the standard Solaris audit logs can be logged by using the binfile plugin, like so:

#
#ident  @(#)audit_control.txt  1.4     2005/11/24 LJP
#
# audit_control file for snare
#
dir:/var/audit
flags:ia
minfree:20
naflags:ia
plugin:name=/usr/lib/security/audit_snare.so
plugin: name=audit_binfile.so;\
p_minfree=20;\
pdir=/var/audit/

This particular setup will put the standard Solaris audit logs into the /var/audit directory, limiting to 20mb free.

Solaris 11

Solaris 11 uses the service manager to handle the plugins rather than the audit_control file.

The auditconfig command can be used to configure this:

#auditconfig -getplugin
Plugin: audit_binfile (active)
 Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1
Plugin: audit_snare (active)
Attributes:
Queue size: 1

 
Further details for configuring Solaris 11 plugins can be found in the Solaris 11 documentation.

Disable audit_binfile

The bin format plugin is responsible for writing log files, and it is enabled by default, when installing Snare Enterprise Agent for Solaris. This log file (e.g. 20160731135700.20160810191133.hostname) can rapidly fill disk space.

To disable the audit_binfile plugin which creates the binary files in /var/audit execute:

auditconfig -setplugin audit_binfile inactive

 
The audit_binfile plugin will then be deactivated.
 
To check your active/inactive plugins execute:

auditconfig -getplugin

 
Your result may be similar to the following:

Plugin: audit_binfile (inactive)
        Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1        

Plugin: audit_snare (active)
        Attributes:
        Queue size: 1

Large snare.log file

The default install for the Solaris agent does not have a destination so it just logs to a log file, in Network Configuration screen | File Output | FileName.

After you have set a destination IP address or hostname you can delete the snare.log file option. Just delete the text in the FileName field then save the configuration, so it does not log locally anymore, and therefore your disk will not fill.

If you do want to keep a local log file then you will need to implement your own cron job to cycle the log file and restart the agent each day or at a frequency to suit. (** The version 5 agent will rotate the log file based on a size value each day as another way to manage the log file option.)

  • No labels