Customizing Security Audits
The audit option provides a highly flexible and extensible mechanism for evaluating the state of a system. As with hardening scripts, you can customize the actions of audit scripts. For example, you can customize environment variables, customize framework and helper functions, add new checks, and add functionality to the audit framework.
Typically, most users find the standard and product-specific audit scripts are suitable as templates from which to customize auditing for their environments. For this scenario, customize audit script actions through drivers, finish scripts, environment variables, and file templates. These custom changes can be made with little effort and without modifying the code. Whatever changes you make for hardening are automatically known by the Solaris Security Toolkit software when you perform auditing.
Occasionally, some users find it necessary to add checks or functionality that the Solaris Security Toolkit software does not provide. For this scenario, add the checks or new functionality to the audit script. (You may want to make related changes in the corresponding finish script.) In some cases, you may need to modify the code. Use extreme care when performing code additions and modifications, to avoid introducing bugs and failures.
Rarely, some users find that they need to create entirely new proprietary, or site-specific, drivers and scripts. For this scenario, we recommend that you use the templates and samples as guidelines when coding the new drivers and scripts. Also, be advised that site-specific drivers, finish scripts, variables, and functions are not automatically known to the Solaris Security Toolkit software when you use the audit option. For example, if you add a site-specific driver named abcc-nj-secure.driver that contains a site-specific finish script, abcc-nj-install-foo.fin, then you need to create a site-specific audit script, abcc-nj-install-foo.aud. Similarly, if you start with only the audit script, you should create the matching finish script.
To customize or create new drivers, scripts, variables, and functions, use the following information:
For drivers, refer to Chapter 10.
For finish scripts, refer to Chapter 11.
For audit scripts, refer to Chapter 12.
For variables, refer to Chapter 13.
For functions, Chapter 8.
For example, what if you need to add a patch that the Solaris Security Toolkit software does not install? You can extend one of the standard or product-specific templates, or you can create your own. If you create your own, create a finish script to add the patch, then create the corresponding audit script to check for the patch installation.