Enabling Solaris Audit log: Solaris 9 | Unix Linux Forums | Solaris

  Go Back    


Solaris The Solaris Operating System, usually known simply as Solaris, is a Unix-based operating system introduced by Sun Microsystems. The Solaris OS is now owned by Oracle.

Enabling Solaris Audit log: Solaris 9

Solaris


Tags
audit log, bsmconv, security, solaris 9, syslog

Closed Thread    
 
Thread Tools Search this Thread Display Modes
    #1  
Old 01-14-2013
sumeet1806 sumeet1806 is offline
Registered User
 
Join Date: Nov 2010
Last Activity: 15 January 2013, 1:01 AM EST
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Sun Enabling Solaris Audit log: Solaris 9

Dear All,

I have one of my Servers, running Solaris 9. I wanna enable the Audit log enabling, the way I did in Solaris 10 Servers.

After running, the bsmconv script, giving the reboots, modifying all the audit files in /etc/security, the audit is enabled, but the audit file which shall be updating in human readable format, its missing.

The /var/adm/messages show the following error.

syslogd: line 47: unknown facility name "audit"

Now, this must be because of the following entry in syslog.conf which is not supported by Solaris 9.
audit.notice /var/adm/auditlog

Please tell me, what do I need to do on my Solaris 9 box, which will show me the audit logs in readable format, because enabling audit logs but not being able to read them, makes no sense to anyone.

Thanks for your help!

Regards
Sumeet
Sponsored Links
    #2  
Old 01-14-2013
bartus11's Avatar
bartus11 bartus11 is offline Forum Staff  
Moderator
 
Join Date: Apr 2009
Last Activity: 23 November 2014, 6:51 PM EST
Posts: 3,720
Thanks: 7
Thanked 1,147 Times in 1,118 Posts
Use praudit on /var/audit/* files.
The Following User Says Thank You to bartus11 For This Useful Post:
jim mcnamara (01-14-2013)
Sponsored Links
    #3  
Old 01-15-2013
sumeet1806 sumeet1806 is offline
Registered User
 
Join Date: Nov 2010
Last Activity: 15 January 2013, 1:01 AM EST
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Hi bartus11

Thanks for your reply.
Yes, that command is there to read the audit files, not what I wanted here.

For example: (Solaris 10)

In /etc/syslog.conf, I have made an entry for /var/adm/auditlog

********************************
<hostname>:/var/audit# cat /etc/syslog.conf| tail -1
audit.notice /var/adm/auditlog
*********************************

# cat /var/adm/auditlog | more
Jan 15 03:10:16 <hostname> audit: [ID 702911 audit.notice] execve(2) ok session 15478 by root as root:root from unknown obj /usr/bin/sbin/sh
Jan 15 03:10:16 <hostname> audit: [ID 702911 audit.notice] execve(2) ok session 15478 by root as root:root from unknown obj /usr/bin/cat
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15643 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15653 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15653 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15655 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15656 by <system-user> as <system-user>:<system user group> from <hostname>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15656 by <system-user> as <system-user>:<system user group> from <hostname>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15655 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15658 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15658 by <system-user> as <system-user>:<system user group> from <IP of a remote system>

And since with Solaris 9 when I am making a similar entry in syslog.conf, its not working, What am I supposed to do to to get a file similar to the auditlog file as shown in the example above.

Thanks a lot for your reply in advance.

Regards
Sumeet
    #4  
Old 01-15-2013
achenle achenle is offline
Registered User
 
Join Date: Jun 2009
Last Activity: 23 November 2014, 9:07 PM EST
Posts: 783
Thanks: 1
Thanked 113 Times in 108 Posts
Quote:
Originally Posted by sumeet1806 View Post
Dear All,

I have one of my Servers, running Solaris 9. I wanna enable the Audit log enabling, the way I did in Solaris 10 Servers.

After running, the bsmconv script, giving the reboots, modifying all the audit files in /etc/security, the audit is enabled, but the audit file which shall be updating in human readable format, its missing.

The /var/adm/messages show the following error.

syslogd: line 47: unknown facility name "audit"

Now, this must be because of the following entry in syslog.conf which is not supported by Solaris 9.
audit.notice /var/adm/auditlog

Please tell me, what do I need to do on my Solaris 9 box, which will show me the audit logs in readable format, because enabling audit logs but not being able to read them, makes no sense to anyone.

Thanks for your help!

Regards
Sumeet
The man page for syslog.conf should help you.

And remember to use tabs and not spaces in your syslog.conf file.
Sponsored Links
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Audit in Solaris Servers. Hari_Ganesh Solaris 3 10-16-2009 06:07 AM
audit in solaris 10 melanie_pfefer Solaris 1 11-06-2008 01:41 PM
audit in solaris raghavender_sri Solaris 1 03-02-2008 09:56 PM
Solaris BSM audit log geoffry Solaris 1 03-02-2008 09:32 PM
Enabling C2 audit roguekitton Security 2 10-19-2007 09:47 AM



All times are GMT -4. The time now is 05:16 AM.