The UNIX and Linux Forums  

Go Back   The UNIX and Linux Forums > Top Forums > UNIX for Dummies Questions & Answers
Reload this Page solaris BSM and Auditing
Google UNIX.COM
Forums Directory Register Forum Rules FAQContribute Members List Search Today's Posts Mark Forums Read



Thread: solaris BSM and Auditing
View Single Post in UNIX Forums - Click on the Thread or Permalink to View Entire Thread -->
  #5 (permalink)  
Old 03-06-2007
auditd auditd is offline
Registered User
  

Join Date: Feb 2007
Posts: 22
Quote:
Originally Posted by skywalker850i
I have managed to get rootsh to work. What I want it to do is to start logging users session as soon as they loging to the box. rootsh uses sudo root user and I don't have that setup here. what do you guys think?
IMO you get better logging with Solaris auditing than rootsh. If I know you audit my actions with rootsh I will just write a C program that does all my covert actions and you won't be able to see it - the only thing rootsh catches is that I downloaded a file which I then executed.

With Solaris auditing you can not hide your actions as the logging happens in the kernel (for system calls), so even if you run an unknown program I will be able to see what it was up to.

The only downside to Solaris auditing is that the output format is harder to read, but there will soon be a nice gui to view the audit trail in, where you easily can chose to view the commands executed by a user.
Reply With Quote