|
|
|
|
|||||||
| Forums | Portal | Register | Forum Rules | FAQ | Contribute | Members List | Arcade | Search | Today's Posts | Mark Forums Read |
| UNIX for Dummies Questions & Answers If you're not sure where to post a UNIX or Linux question, post it here. All UNIX and Linux newbies welcome !! |
More UNIX and Linux Forum Topics You Might Find Helpful
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Solaris 9 Auditing | dxs | SUN Solaris | 2 | 05-12-2008 07:06 AM |
| File auditing | aladdin | UNIX for Dummies Questions & Answers | 2 | 02-22-2007 09:35 AM |
| User Auditing | rajesh_149 | AIX | 2 | 08-22-2005 11:37 PM |
| BMS Auditing | BlueKalel | SUN Solaris | 0 | 05-11-2005 07:29 AM |
| System Auditing | Cameron | UNIX for Dummies Questions & Answers | 2 | 01-03-2002 04:04 AM |
 |
|
|
Submit Tools | LinkBack | Thread Tools | Display Modes |
|
#15
03-29-2007
|
|||
|
|||
steps
you auditd config should like the following:
run /etc/security/bsmconv make sure the /etc/system has been update (set c2audit:audit_load = 1) reboot vi audit_startup /usr/bin/echo "Starting BSM services." /usr/sbin/auditconfig -conf /usr/sbin/auditconfig -aconf /usr/sbin/auditconfig -setpolicy +argv Add the following class to you /etc/security/audit_class 0x08000000:cc:CIS custom class vi the audit_event find entry 23 and add cc, just like the following entry: 23:AUE_EXECVE:execve(2)  s,ex,ccvi audit_control make sure that you have the following lines: dir:/var/audit flags:lo,ad,cc minfree:20 naflags:lo vi audit_user where userX is the name of the user you want to audit. userX:lo:no userX:lo,ad,cc,exec,all userX:lo,ad,cc,exec,al to get any reading from your logs use the below command: auditreduce -c lo /var/audit/20070329110000.not_terminated.*servername* |praudit and that will give you what you want !! good luck. 
|
| Forum Sponsor | ||
|
|
|
#17
09-25-2007
|
|||
|
|||
|
Effective UID root
Hello all,
I am working with a solaris 10 system that has minimum 250 users on it during any business day. I need to track all +ex where the effective uid is root and nothing more. BSM seems like the best tool for this because of how well it tracks each user with it's audit-id. I have root:+ex in my audit_user file, however this setting applies only for console logins of root because we do not allow remote. I have flags: +ex in my audit_control file, however this setting with the number of users I have will generate an audit trail which is too large for my file system with a ton of unnecessary data. Does anyone know how I could setup BSM to audit only the effective UID of root?
|
|
#18
01-20-2008
|
|||
|
|||
|
I need to find some answers for this, according to the manuals this BSM auditing when turned on uses up a lot of disk space, my question is how much disk will the logs use up every month?
Also does anybody also know what is the equivalent of solaris BSM on hpux, does HPUX have any built in auditing capabilities similiar to solaris? Last edited by sparcguy; 01-21-2008 at 02:04 AM.
|
|
#19
03-02-2008
|
|||
|
|||
|
Quote:
 The problem is that it depends on a lot of things, like:
The best way is to start auditing using the settings you want and closely monitor the audit trail, and then tune the settings if they grow too large. I have system which generates over 100 MB/day and I have others which generates less than 1 MB/day - using the same audit settings. See this page for more information.
|
|||
| Google The UNIX and Linux Forums |
Linear Mode
