Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Enabling Solaris Audit log: Solaris 9
Operating Systems Solaris Enabling Solaris Audit log: Solaris 9 Post 302755987 by sumeet1806 on Tuesday 15th of January 2013 01:01:25 AM
Old 01-15-2013
Hi bartus11

Thanks for your reply.
Yes, that command is there to read the audit files, not what I wanted here.

For example: (Solaris 10)

In /etc/syslog.conf, I have made an entry for /var/adm/auditlog

********************************
<hostname>:/var/audit# cat /etc/syslog.conf| tail -1
audit.notice /var/adm/auditlog
*********************************

# cat /var/adm/auditlog | more
Jan 15 03:10:16 <hostname> audit: [ID 702911 audit.notice] execve(2) ok session 15478 by root as root:root from unknown obj /usr/bin/sbin/sh
Jan 15 03:10:16 <hostname> audit: [ID 702911 audit.notice] execve(2) ok session 15478 by root as root:root from unknown obj /usr/bin/cat
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15643 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15653 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15653 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15655 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15656 by <system-user> as <system-user>:<system user group> from <hostname>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15656 by <system-user> as <system-user>:<system user group> from <hostname>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15655 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15658 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15658 by <system-user> as <system-user>:<system user group> from <IP of a remote system>

And since with Solaris 9 when I am making a similar entry in syslog.conf, its not working, What am I supposed to do to to get a file similar to the auditlog file as shown in the example above.

Thanks a lot for your reply in advance.

Regards
Sumeet
 

10 More Discussions You Might Find Interesting

1. Cybersecurity

Enabling C2 audit

hey guys, im going to enable C2 auditing on a sun box, i know how to do it, but im just wondering if there are any issues or problems that i may run into. this will be my first major change (since i have to reset the box) since i joined this company and i dont really wanna kill their servers, so... (2 Replies)
Discussion started by: roguekitton
2 Replies

2. Solaris

Solaris BSM audit log

I got a lot of this message in my /var/audit log how can I exclude this message? header,127,2,invalid event number,fe,hostsol1.com.sg,2007-12-21 00:10:01.001 +08:00,argument,1,0x5,processor ID,argument ,2,0x3,flag,text,P_STATUS,subject,zhang1,root,root,root,root,18228,576129155,291 131094... (1 Reply)
Discussion started by: geoffry
1 Replies

3. Solaris

audit in solaris

How do I know that audit is enabled in soalris. in AIX 'audit query' command gives me the info whether auditing is on or not. Raghav (1 Reply)
Discussion started by: raghavender_sri
1 Replies

4. Solaris

audit in solaris 10

can you please share what you use to audit what files are deleted, when files are deleted and who deleted them? thx (1 Reply)
Discussion started by: melanie_pfefer
1 Replies

5. Solaris

Audit in Solaris Servers.

Hi Friends I am a Solaries newbie and I am looking out for a software or command or config that can capture all commands run by all users on a server on a daily basis. I believe that this Audit is being done in almost all enterprises and would like to know how the same is done there. Any... (3 Replies)
Discussion started by: Hari_Ganesh
3 Replies

6. Solaris

Cron audit problem in Solaris 8

cron audit problem. job failed I’m getting problem with crontab in Solaris 8 Crontab stop and is not running for all the cron jobs under cat /var/cron/log > CMD: /var/sh/go.sh > root 24835 c Sun Sep 26 08:06:00 2010 < root 24835 c Sun Sep 26 08:06:00 2010 rc=1 ! cron audit problem.... (5 Replies)
Discussion started by: Mr.AIX
5 Replies

7. Solaris

Enabling TFTP in Solaris 10

Hi, I was trying to enable TFTP on my Solaris 10. I started with un-commenting the tftp line in /etc/inetd.conf and inetconv -i /etc/inetd.conf for tftp installation. I did reboot the server afterwards, but i still cannot find the /tftpboot directory. though the return of svcs -a | grep -i tftp... (0 Replies)
Discussion started by: A.Salama
0 Replies

8. Solaris

How to view audit logs in Solaris?

Does anyone know if there is software written to view the audit logs generated by Solaris? I am referring the the logs created by auditd. It produces an unreadable log. I am familiar with auditreduce and praudit, but I am looking for something that produces a report, much like logwatch looks at the... (4 Replies)
Discussion started by: brownwrap
4 Replies

9. Solaris

Enabling SFTP log on Solaris

Hi Guys, Hope you can shed the light to this issue. I have enabled SFTP logging on Linux this way and it works: But trying this on Solaris it wont work, the ssh goes to maintenance in when checking with svcs. The logs said a syntax error it doesn't recognize "-l" (3 Replies)
Discussion started by: batas
3 Replies

10. Solaris

Audit not working on Solaris 10

hi, I enabled bsm modules (/etc/security/bsmconv) and rebooted Solaris 10. But service is going into maintenance state. I rebooted server and I see one error saying "sys/c2audit:audit_kssl() not defined properly". I am not sure, what it is indicating and how it should be fixed. Please suggest, how... (5 Replies)
Discussion started by: solaris_1977
5 Replies

LEARN ABOUT OPENSOLARIS

bsmconv

bsmconv(1M)						  System Administration Commands					       bsmconv(1M)

NAME

       bsmconv, bsmunconv - enable or disable Solaris Auditing

SYNOPSIS

       /etc/security/bsmconv [rootdir]...

       /etc/security/bsmunconv [rootdir]...

DESCRIPTION

       The  bsmconv  and  bsmunconv scripts are used to enable or disable the BSM features on a Solaris system. The optional argument rootdir is a
       list of one or more root directories of diskless clients that have already been configured. See smdiskless(1M).

       To enable or disable BSM on a diskless client, a server, or a stand-alone system, logon as super-user to the system being converted and use
       the bsmconv or bsmunconv commands without any options.

       To  enable or disable BSM on a diskless client from that client's server, logon to the server as super-user and use bsmconv, specifying the
       root directory of each diskless client you wish to affect. For example, the command:

	 myhost# bsmconv /export/root/client1 /export/root/client2

       enables BSM on the two machines named client1 and client2. While the command:

	 myhost# bsmconv

       enables BSM only on the machine called myhost. It is no longer necessary to enable BSM on both the server and its diskless clients.

       After running bsmconv the system can be configured by editing the files in /etc/security. Each diskless client has its own copy of configu-
       ration files in its root directory. You might want to edit these files before rebooting each client.

       Following  the  completion  of either script, the affected system(s) should be rebooted to allow the auditing subsystem to come up properly
       initialized.

FILES

       The following files are created by bsmconv:

       /etc/security/device_maps

	   Administrative file defining the mapping of device special files to allocatable device names.

       /etc/security/device_allocate

	   Administrative file defining parameters for device allocation.

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWcsr			   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Obsolete Committed	   |
       +-----------------------------+-----------------------------+

SEE ALSO

       auditconfig(1M), auditd(1M), audit_startup(1M), audit.log(4), audit_control(4), attributes(5)

       See the section on Solaris Auditing in System Administration Guide: Security Services.

NOTES

       bsmconv and bsmunconv are not valid in a non-global zone.

       These commands are Obsolete and may be removed and replaced with equivalent functionality in a future release of Solaris.

SunOS 5.11							    20 Jan 2009 						       bsmconv(1M)
All times are GMT -4. The time now is 08:24 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy