Hi,

i have change the audit_control please see below


Audit_control

dir:/var/audit
flags:lo,ad,cc
minfree:20
naflags:lo


audit_event

0

Audit_user

#
# Copyright (c) 1988 by Sun Microsystems, Inc.
#
# ident "@(#)audit_user.txt 1.6 00/07/17 SMI"
#
#
# User Level Audit User File
#
# File Format
#
# username:always:never
#
root:lo:no
hassan:lo,ad,cc
paul:lo,cc,ad

#ps
PID TTY TIME CMD
10696 pts/1 0:00 login
10790 pts/1 0:00 ps
10705 pts/1 0:00 ksh

#auditconfig -getpinfo 10705
audit id = hassan(100)
process preselection mask = all(0xffffffff,0xffffffff)
terminal id (maj,min,host) = 6413,23,unknown(172.16.1.202)
audit session id = 3136872915


auditreduce -u $uid /path/to/audit-trail | praudit
file,1970-01-01 01:00:00.000 +01:00,
file,2007-03-07 10:34:13.000 +00:00,

auditreduce -m AUE_EXECVE /path/to/audit-trail | praudit
file,1970-01-01 01:00:00.000 +01:00,
file,2007-03-07 10:33:21.000 +00:00,


Would it be possible to audit events from user level audit events
# 2048 - 6143 Reserved
?

I tried /usr/sbin/auditconfig -setclass 2048 6143 but it don't work
auditconfig: Invalid kernel audit event number specified.
2048 is outside allowable range 0-512.

(i might of made a mistake in the command line)

As you can see, I have done all the recommand command. What i had in mind is a simple output from the logs just like what you get from rootsh. I will have a look at auditreduce and see if i can tune the output.


Thanks

This tells you that all events generated by this process will end up in the audit trail.

You need to replace /path/to/audit-trail with the actual path of the audit trail, e.g. /var/audit/20070307102412.not_terminated.vaccine.

I'm not sure what you are trying to do here. The system audits those events based on your preselection mask, there is nothing you need to do to "enable" them.

auditd you are the king of auditing. it's working now.

it's logging (cd,ls) commands.

header,137,2,execve(2),,beatrix.cyberslotz.co.uk,2007-03-07 14:15:59.040 +00:00
path,/usr/bin/ls
attribute,100555,root,bin,32,342,0
exec_args,1,ls


task completed.

thank you

I am having a problem getting info from the x2100 servers running solaris 10. I can get things like (ls,cd) and so on but if i use the vi command the logs doesn't tell me what file the user has opened or (vi) at the time.

I wonder if it's a problem with the x2100 os artch or maybe some extra config that i have to do to fix it. I am using the excat same config on my test Sun e250 and that is working just fine.

Help please.

Thanks

You need to use the +argv audit policy to see the arguments to exec(2).

Run:
auditconfig -setpolicy +argv

and then add the following line to /etc/security/audit_startup (for it to persist across reboots):
/usr/sbin/auditconfig -setpolicy +argv

thanks auditd its working...

Hi auditd,
I wanted to see only login/logout and exec event in my logs and set up my auditd configuration as follows. Since i get the logs from binary file to my Arcsight Agent using Arcsight Solaris BSM Agent, i get the logs that i don't want to see. So these logs also increasing the file size.

Since i am not familier with Solaris&BSM i almost try every option to filter following events. I don't know what they means so i don't get such logs.

How can i make a config that i can only see who is logged in and what command is he/she typed?

Thanks in advance!

AUE_DOORFS_DOOR_CALL ==
AUE_IOCTL


###audit_startup ###
#!/bin/sh
/usr/bin/echo "Starting BSM services."
/usr/sbin/deallocate -Is
/usr/sbin/auditconfig -conf
/usr/sbin/auditconfig -aconf
/usr/sbin/auditconfig -setpolicy +cnt
/usr/sbin/auditconfig -setpolicy +argv

### audit_control ###
dir:/array/auditlogs
minfree:20
flags:lo,+ex
naflags:lo,+ex

####audit_user ####
#
# Copyright (c) 1988 by Sun Microsystems, Inc.
#
# ident "@(#)audit_user.txt 1.6 00/07/17 SMI"
#
#
# User Level Audit User File
#
# File Format
#
# username:always:never
#
#root:all:no