LKSF: Audit Annotations

For several major releases Solaris has a really extensive auditing subsystem. I wrote about it many years ago (11 years to be exact) in Less known Solaris features: Auditing. The audit system is excellent to tell you what has happened on your system. However sometimes some context ist missing. You don’t know why something happened. And this is a point, where a new feature of Solaris 11.4 is really useful. The new feature is called Audit Annotations.

Enabling annotations

Audit annotations are really simple to use. You can activate them for a user like this after you have gained the nescessary privileges to change the extended attributes of an user:

$ ssh jmoekamp@192.168.30.197
Password: 
Last login: Thu Jan 17 12:26:25 2019 from 192.168.30.196
Oracle Corporation      SunOS 5.11      11.4    Aug 2018
jmoekamp@solaris114:~$ su - root
Password: 
Oracle Corporation      SunOS 5.11      11.4    Aug 2018
You have new mail.
root@solaris114:~# pfexec usermod -K annotation=yes jmoekamp
UX: usermod: jmoekamp is currently logged in, some changes may not take effect until next login.
root@solaris114:~# exit
Abgemeldet
jmoekamp@solaris114:~$ exit

When you log into your system the next time, the system will ask for a password as usual. However there will be another question right after it. The System asks for an annotation to the session.

$ ssh jmoekamp@192.168.30.197
Password: 
<strong>Session Annotation: Changing ZFS Configuration according to ticket 123456</strong>
Last login: Thu Jan 17 21:33:27 2019 from 192.168.30.196
Oracle Corporation      SunOS 5.11      11.4    Aug 2018
jmoekamp@solaris1144:~$

This string will be now carried forward in all audit logs that are created by actions in this session. So now, when you look into your audit log you will not only see the what happened by all the entries of the log, but you will have some information why an admin did it on the system. Of course it just makes sense, when you enter something sensible here. “fadsfsdfasd341243” obviously does not cut it as a good annotation. However this is something you can’t enforce technically. You can just enforce that your users can’t skip the prompt by just pressing return. The enforcement is the default, if you want to allow the user to skip it it, use annotation=optional .

In case you want to make session annotations default for everybody, you have to edit /etc/security/policy.conf and add ANNOTATION=yes or ANNOTATION=optional to it. In the file delivered with 11.4 it’s already at the end, just set to no and disabled by the #-sign

Searching for annotations

Later you can check for all audit entries with an annotation with the auditreduce command:

root@solaris114:~# auditreduce -o annotation='[.]*' | praudit
header,243,2,privileged execution,,solaris114,2019-01-17 21:39:12.380+00:00
path,/usr/sbin/auditreduce
path,/root
exec_args,3,auditreduce,-o,annotation=[.]*
use of privilege,successful use of priv,file_dac_write
subject,jmoekamp,root,root,root,root,1320,2441390078,151 1 192.168.30.196
return,success,0
annotation,Changing ZFS Configuration according to ticket 123456


If your want to see only the records for a single annotation, this is easily done with auditreduce as well

root@solaris114:~ # auditreduce -o annotation='[.]* ticket 123456' | praudit
header,243,2,privileged execution,,solaris114,2019-01-17 21:39:12.380+00:00
path,/usr/sbin/auditreduce
path,/root
exec_args,3,auditreduce,-o,annotation=[.]*
use of privilege,successful use of priv,file_dac_write
subject,jmoekamp,root,root,root,root,1320,2441390078,151 1 192.168.30.196
return,success,0
annotation,Changing ZFS Configuration according to ticket 123456


Do you want to learn more?

docs.oracle.com : New Feature – Annotating Reason for Access in the Audit Record