Less known Solaris 11.1 features: Auditing pfedit usage
You have allowed junior
to edit the httpd.conf and and some nice evening, you are sitting at home. Then: You get alerts on your mobile: Webserver down. You log into the server. You check the httpd.conf
. You see an error. You correct it. You look into the change log. Nothing. You ask your colleagues, who made this change. Nobody. Dang. As always. Classic “Whodunit”.
Okay, in order to prevent this for future changes, you want to record this kind of information. And working with pfedit
is really useful in order to do so.
This tutorial is a follow-on to the basic pfedit
tutorial. So when you want to work through this one, you have to go through the basic one first.
The nice thing about pfedit
is, that it has an integration with the auditing subsystem of Oracle Solaris. So you can monitor the usage of pfedit with the audit log. In oder to do so, we have to configure auditing here. In Solaris 11 auditing is activated by default. So you don’t have to enable it and reboot it like with earlier Solaris releases.
From the man page of pfedit we know, that pfedit uses the default class as
for auditing. So i will add this to the profile i’ve created in the basic tutorial.
I’m done. That’s all folks. When anyone using this profile is using pfedit, her or his actions will put into the audit log. But how you get the stored information?
And at the end of the auditing log, you will find the following piece of information:
Not only the “metadata” about the change (when, who) has been stored to the audit log, but the change itself has been stored as a diff in the log. Neat.