Hi Guys,

I am new to this forum so I am sorry if i posted this thread in the wrong place. I am currently trying to get BSM to work on solaris 10 by Logging few things for me. I need your help to complete this task please.

this is the config of the audit files:

audit_conto

# Copyright (c) 1988 by Sun Microsystems, Inc.
#
# ident "@(#)audit_control.txt 1.4 00/07/17 SMI"
#
dir:/var/audit
flags:lo,ad,cc
minfree:20
naflags:lo,ad,ex

audit class

#
# mask:name:description
#
0x00000000:no:invalid class
0x00000001:fr:file read
0x00000002:fw:file write
0x00000004:fa:file attribute access
0x00000008:fm:file attribute modify
0x00000010:fc:file create
0x00000020:fd:file delete
0x00000040:cl:file close
0x00000100:nt:network
0x00000200:ip:ipc
0x00000400:na:non-attribute
0x00001000:lo:login or logout
0x00004000:ap:application
0x00010000:ss:change system state
0x00020000:as:system-wide administration
0x00040000:ua:user administration
0x00070000:am:administrative (meta-class)
0x00080000:aa:audit utilization
0x000f0000:adld administrative (meta-class)
0x00100000srocess start/stop
0x00200000mrocess modify
0x00300000crocess (meta-class)
0x20000000:io:ioctl
0x40000000:ex:exec
0x80000000tther
0xffffffff:all:all classes (meta-class)
0x08000000:cc:CIS custom class


I only need to audit what users execute. Is there an easy way to do it.

Thanks

You want to add the ex class to the flags: in audit_control so it reads:
flags:lo,ad,cc,ex

Or as you have defined your own audit class (cc) you could add it to AUE_EXECVE in audit_event so it reads:
22:AUE_EXECVE:execve(2):ps,ex,cc

See this post for more information.

Thanks I will try that today. The only thing now is formatting the output via praudit/auditrace. I will have to work on creating a script that will do that for me.

Hi,

I have managed to get rootsh to work. What I want it to do is to start logging users session as soon as they loging to the box. rootsh uses sudo root user and I don't have that setup here. what do you guys think?

I thought about using the .profile and adding a line like

/usr/local/bin/rootsh --user=$username --logdir=$logs

any idea?

thanks

IMO you get better logging with Solaris auditing than rootsh. If I know you audit my actions with rootsh I will just write a C program that does all my covert actions and you won't be able to see it - the only thing rootsh catches is that I downloaded a file which I then executed.

With Solaris auditing you can not hide your actions as the logging happens in the kernel (for system calls), so even if you run an unknown program I will be able to see what it was up to.

The only downside to Solaris auditing is that the output format is harder to read, but there will soon be a nice gui to view the audit trail in, where you easily can chose to view the commands executed by a user.

right, here is what i did then.

# Copyright (c) 1988 by Sun Microsystems, Inc.
#
# ident "@(#)audit_control.txt 1.4 00/07/17 SMI"
#
dir:/var/audit
flags:lo,ad,cc,ex
minfree:20
naflags:lo


# User Level Class Masks
#
# Developers: If you change this file you must also edit audit.h.
#
# "Meta-classes" can be created; these are supersets composed of multiple base
# classes, and thus will have more than 1 bit in its mask. See "ad", "all",
# "am", and "pc" below for examples.
#
# The "no" (invalid) class below is commonly (but not exclusively) used in
# audit_event for obsolete events.
#
#
# File Format:
#
# mask:name:description
#
0x00000000:no:invalid class
0x00000001:fr:file read
0x00000002:fw:file write
0x00000004:fa:file attribute access
0x00000008:fm:file attribute modify
0x00000010:fc:file create
0x00000020:fd:file delete
0x00000040:cl:file close
0x00000100:nt:network
0x00000200:ip:ipc
0x00000400:na:non-attribute
0x00001000:lo:login or logout
0x00004000:ap:application
0x00010000:ss:change system state
0x00020000:as:system-wide administration
0x00040000:ua:user administration
0x00070000:am:administrative (meta-class)
0x00080000:aa:audit utilization
0x000f0000:adld administrative (meta-class)
0x00100000srocess start/stop
0x00200000mrocess modify
0x00300000crocess (meta-class)
0x20000000:io:ioctl
0x40000000:ex:exec
0x80000000tther
0xffffffff:all:all classes (meta-class)
0x08000000:cc:CIS custom class



23:AUE_EXECVE:execve(2)s,ex,cc


Just like how you recommanded. ( I think) !!

Now, I cann't see things like (cd / or ls -ltr) command or i may need to look deep into the log files. In addation, the size of the logs is in Gigs, it looks like i am going to need to acquire more disk space soon!!

snap shot!!

subject,hassan,root,root,root,root,10312,554721698,14555 65559 172.16.1.202
return,success,0
header,168,2,memcntl(2),,beatrix.cyberslotz.co.uk,2007-03-06 13:56:42.298 +00:00
argument,1,0xff360000,base
argument,2,0x73d4,len
argument,3,0x4,cmd
argument,4,0x3,arg
argument,5,0x0,attr
argument,6,0x0,mask
subject,hassan,root,root,root,root,10312,554721698,14555 65559 172.16.1.202
return,success,0
header,114,2,munmap(2),,beatrix.cyberslotz.co.uk,2007-03-06 13:56:42.298 +00:00
argument,1,0xff344000,addr
argument,2,0x10000,len
subject,hassan,root,root,root,root,10312,554721698,14555 65559 172.16.1.202
return,success,0
header,168,2,memcntl(2),,beatrix.cyberslotz.co.uk,2007-03-06 13:56:42.298 +00:00
argument,1,0xff340000,base
argument,2,0x12b8,len
argument,3,0x4,cmd
argument,4,0x3,arg
argument,5,0x0,attr
argument,6,0x0,mask
subject,hassan,root,root,root,root,10312,554721698,14555 65559 172.16.1.202
return,success,0
header,114,2,munmap(2),,beatrix.cyberslotz.co.uk,2007-03-06 13:56:42.299 +00:00
argument,1,0xff2d4000,addr
argument,2,0x10000,len
subject,hassan,root,root,root,root,10312,554721698,14555 65559 172.16.1.202
return,success,0
header,168,2,memcntl(2),,beatrix.cyberslotz.co.uk,2007-03-06 13:56:42.299 +00:00
argument,1,0xff200000,base
argument,2,0x204d8,len
argument,3,0x4,cmd
argument,4,0x3,arg
argument,5,0x0,attr
argument,6,0x0,mask
subject,hassan,root,root,root,root,10312,554721698,14555 65559 172.16.1.202
return,success,0
header,114,2,munmap(2),,beatrix.cyberslotz.co.uk,2007-03-06 13:56:42.300 +00:00
argument,1,0xff31c000,addr
argument,2,0x10000,len
subject,hassan,root,root,root,root,10312,554721698,14555 65559 172.16.1.202
return,success,0
header,168,2,memcntl(2),,beatrix.cyberslotz.co.uk,2007-03-06 13:56:42.300 +00:00
argument,1,0xff310000,base
argument,2,0x3588,len
argument,3,0x4,cmd
argument,4,0x3,arg
argument,5,0x0,attr
argument,6,0x0,mask
subject,hassan,root,root,root,root,10312,554721698,14555 65559 172.16.1.202
return,success,0
header,114,2,munmap(2),,beatrix.cyberslotz.co.uk,2007-03-06 13:56:42.301 +00:00
argument,1,0xff192000,addr
argument,2,0x10000,len
subject,hassan,root,root,root,root,10312,554721698,14555 65559 172.16.1.202
return,success,0
header,168,2,memcntl(2),,beatrix.cyberslotz.co.uk,2007-03-06 13:56:42.301 +00:00
argument,1,0xff100000,base
argument,2,0x15b74,len
argument,3,0x4,cmd
argument,4,0x3,arg
argument,5,0x0,attr
argument,6,0x0,mask
subject,hassan,root,root,root,root,10312,554721698,14555 65559 172.16.1.202
return,success,0
header,114,2,munmap(2),,beatrix.cyberslotz.co.uk,2007-03-06 13:56:42.301 +00:00
argument,1,0xff1e2000,addr
argument,2,0x10000,len
subject,hassan,root,root,root,root,10312,554721698,14555 65559 172.16.1.202
return,success,0
file,2007-03-06 13:56:42.310 +00:00,



the idea behind this auditing thing is, to have all commands logged now, i didn't think the output is going to be like that. Now, if i get a request from management to produce the command set for one the users is going to be a nightmare to have something that will explaine to them what that users did in a nice layout.

any idea when the gui will be downloadable.
thanks