On Tue, Aug 08, 2006 at 09:03:04AM -0500, Mike Lewis wrote: > I've also noticed that auditd runs by default in both the global and local > zones, and that they conflict (you can't run both). I have turned off > auditd in the local zones and defer to the one running at the global > level.
The 'perzone' audit policy allows one to audit non-global zones individually. The 'perzone' audit policy is described in the auditconfig(1M) and auditd(1M) man pages as well as here: http://docs.sun.com/app/docs/doc/817-0547/6mgbdbsnb?q=perzone&a=view --- Solaris 10 What's New >> 3. What's New in the Solaris 10 3/05 Release [...] perzone Audit Policy This feature is new in the Solaris Express 8/04 release. The perzone audit policy enables non-global zones to be audited individually. A separate audit daemon runs in each zone. The daemon uses audit configuration files that are specific to the zone. Also, the audit queue is specific to the zone. By default, the policy is off. --- and also throughout the Solaris Auditing section of: System Administration Guide: Security Services http://docs.sun.com/app/docs/doc/816-4557/6maosrjog?q=perzone&a=view The Solaris Trusted Extensions documentation states that auditing needs to be configured but I don't see a reference to the 'perzone' policy in the docs. I suspect that you ran into the zones related issue: 6384568 SUNWcsr postinstall may be too aggressive with the audit service in zones http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6384568 where the audit service in a non-global zone will be enabled during zone creation regardless of the state of the 'perzone' policy. The above CR should be addressed in Solaris Nevada shortly and isn't specific to Trusted Extensions. You may wish to configure the 'zonename' audit policy in the audit_startup(1M) file to help separate events which take place in the separate zones when reviewing the audit.log(4). Finally note that if the 'perzone' policy is in place and the audit service is disabled in the non-global zones then users in those zones will not be audited. > Thanks for all your help! > > -- > Michael Lewis -- Jackpine Technologies Corporation > 1380 Corporate Center Curve, Suite 108, Eagan, MN 55121 > (651)209-6042 -- mdl at JackpineTech.com -Brent
