Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Enabling Solaris Audit log: Solaris 9
Operating Systems Solaris Enabling Solaris Audit log: Solaris 9 Post 302755987 by sumeet1806 on Tuesday 15th of January 2013 01:01:25 AM
Old 01-15-2013
Hi bartus11

Thanks for your reply.
Yes, that command is there to read the audit files, not what I wanted here.

For example: (Solaris 10)

In /etc/syslog.conf, I have made an entry for /var/adm/auditlog

********************************
<hostname>:/var/audit# cat /etc/syslog.conf| tail -1
audit.notice /var/adm/auditlog
*********************************

# cat /var/adm/auditlog | more
Jan 15 03:10:16 <hostname> audit: [ID 702911 audit.notice] execve(2) ok session 15478 by root as root:root from unknown obj /usr/bin/sbin/sh
Jan 15 03:10:16 <hostname> audit: [ID 702911 audit.notice] execve(2) ok session 15478 by root as root:root from unknown obj /usr/bin/cat
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15643 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15653 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15653 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15655 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15656 by <system-user> as <system-user>:<system user group> from <hostname>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15656 by <system-user> as <system-user>:<system user group> from <hostname>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15655 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15658 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15658 by <system-user> as <system-user>:<system user group> from <IP of a remote system>

And since with Solaris 9 when I am making a similar entry in syslog.conf, its not working, What am I supposed to do to to get a file similar to the auditlog file as shown in the example above.

Thanks a lot for your reply in advance.

Regards
Sumeet
 

10 More Discussions You Might Find Interesting

1. Cybersecurity

Enabling C2 audit

hey guys, im going to enable C2 auditing on a sun box, i know how to do it, but im just wondering if there are any issues or problems that i may run into. this will be my first major change (since i have to reset the box) since i joined this company and i dont really wanna kill their servers, so... (2 Replies)
Discussion started by: roguekitton
2 Replies

2. Solaris

Solaris BSM audit log

I got a lot of this message in my /var/audit log how can I exclude this message? header,127,2,invalid event number,fe,hostsol1.com.sg,2007-12-21 00:10:01.001 +08:00,argument,1,0x5,processor ID,argument ,2,0x3,flag,text,P_STATUS,subject,zhang1,root,root,root,root,18228,576129155,291 131094... (1 Reply)
Discussion started by: geoffry
1 Replies

3. Solaris

audit in solaris

How do I know that audit is enabled in soalris. in AIX 'audit query' command gives me the info whether auditing is on or not. Raghav (1 Reply)
Discussion started by: raghavender_sri
1 Replies

4. Solaris

audit in solaris 10

can you please share what you use to audit what files are deleted, when files are deleted and who deleted them? thx (1 Reply)
Discussion started by: melanie_pfefer
1 Replies

5. Solaris

Audit in Solaris Servers.

Hi Friends I am a Solaries newbie and I am looking out for a software or command or config that can capture all commands run by all users on a server on a daily basis. I believe that this Audit is being done in almost all enterprises and would like to know how the same is done there. Any... (3 Replies)
Discussion started by: Hari_Ganesh
3 Replies

6. Solaris

Cron audit problem in Solaris 8

cron audit problem. job failed I’m getting problem with crontab in Solaris 8 Crontab stop and is not running for all the cron jobs under cat /var/cron/log > CMD: /var/sh/go.sh > root 24835 c Sun Sep 26 08:06:00 2010 < root 24835 c Sun Sep 26 08:06:00 2010 rc=1 ! cron audit problem.... (5 Replies)
Discussion started by: Mr.AIX
5 Replies

7. Solaris

Enabling TFTP in Solaris 10

Hi, I was trying to enable TFTP on my Solaris 10. I started with un-commenting the tftp line in /etc/inetd.conf and inetconv -i /etc/inetd.conf for tftp installation. I did reboot the server afterwards, but i still cannot find the /tftpboot directory. though the return of svcs -a | grep -i tftp... (0 Replies)
Discussion started by: A.Salama
0 Replies

8. Solaris

How to view audit logs in Solaris?

Does anyone know if there is software written to view the audit logs generated by Solaris? I am referring the the logs created by auditd. It produces an unreadable log. I am familiar with auditreduce and praudit, but I am looking for something that produces a report, much like logwatch looks at the... (4 Replies)
Discussion started by: brownwrap
4 Replies

9. Solaris

Enabling SFTP log on Solaris

Hi Guys, Hope you can shed the light to this issue. I have enabled SFTP logging on Linux this way and it works: But trying this on Solaris it wont work, the ssh goes to maintenance in when checking with svcs. The logs said a syntax error it doesn't recognize "-l" (3 Replies)
Discussion started by: batas
3 Replies

10. Solaris

Audit not working on Solaris 10

hi, I enabled bsm modules (/etc/security/bsmconv) and rebooted Solaris 10. But service is going into maintenance state. I rebooted server and I see one error saying "sys/c2audit:audit_kssl() not defined properly". I am not sure, what it is indicating and how it should be fixed. Please suggest, how... (5 Replies)
Discussion started by: solaris_1977
5 Replies

LEARN ABOUT DEBIAN

autrace

AUTRACE:(8)						  System Administration Utilities					       AUTRACE:(8)

NAME

       autrace - a program similar to strace

SYNOPSIS

       autrace program [-r] [program-args]...

DESCRIPTION

       autrace is a program that will add the audit rules to trace a process similar to strace. It will then execute the program passing arguments
       to it. The resulting audit information will be in the audit logs if the audit daemon is running or syslog. This command deletes	all  audit
       rules  prior  to  executing the target program and after executing it. As a safety precaution, it will not run unless all rules are deleted
       with auditctl prior to use.

OPTIONS

       -r     Limit syscalls collected to ones needed for analyzing resource usage. This could help people doing threat modeling. This saves space
	      in logs.

EXAMPLES

       The following illustrates a typical session:

       autrace /bin/ls /tmp
       ausearch --start recent -p 2442 -i

       and for resource usage mode:

       autrace -r /bin/ls
       ausearch --start recent -p 2450 --raw | aureport --file --summary
       ausearch --start recent -p 2450 --raw | aureport --host --summary

SEE ALSO

       ausearch(8), auditctl(8).

AUTHOR

       Steve Grubb

Red Hat 							     Jan 2007							       AUTRACE:(8)
All times are GMT -4. The time now is 11:08 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy