|
|
Sponsored Content
Top Forums
UNIX for Dummies Questions & Answers
solaris BSM and Auditing
Post 302109274 by skywalker850i on Monday 5th of March 2007 05:10:51 AM
03-05-2007
solaris BSM and Auditing
Hi Guys,
I am new to this forum so I am sorry if i posted this thread in the wrong place. I am currently trying to get BSM to work on solaris 10 by Logging few things for me. I need your help to complete this task please.
this is the config of the audit files:
audit_conto
# Copyright (c) 1988 by Sun Microsystems, Inc.
#
# ident "@(#)audit_control.txt 1.4 00/07/17 SMI"
#
dir:/var/audit
flags:lo,ad,cc
minfree:20
naflags:lo,ad,ex
audit class
#
# mask:name:description
#
0x00000000:no:invalid class
0x00000001:fr:file read
0x00000002:fw:file write
0x00000004:fa:file attribute access
0x00000008:fm:file attribute modify
0x00000010:fc:file create
0x00000020:fd:file delete
0x00000040:cl:file close
0x00000100:nt:network
0x00000200:ip:ipc
0x00000400:na:non-attribute
0x00001000:lo:login or logout
0x00004000:ap:application
0x00010000:ss:change system state
0x00020000:as:system-wide administration
0x00040000:ua:user administration
0x00070000:am:administrative (meta-class)
0x00080000:aa:audit utilization
0x000f0000:ad
ld administrative (meta-class)
0x00100000
srocess start/stop
0x00200000mrocess modify
0x00300000crocess (meta-class)
0x20000000:io:ioctl
0x40000000:ex:exec
0x80000000tther
0xffffffff:all:all classes (meta-class)
0x08000000:cc:CIS custom class
I only need to audit what users execute. Is there an easy way to do it.
Thanks
I am new to this forum so I am sorry if i posted this thread in the wrong place. I am currently trying to get BSM to work on solaris 10 by Logging few things for me. I need your help to complete this task please.
this is the config of the audit files:
audit_conto
# Copyright (c) 1988 by Sun Microsystems, Inc.
#
# ident "@(#)audit_control.txt 1.4 00/07/17 SMI"
#
dir:/var/audit
flags:lo,ad,cc
minfree:20
naflags:lo,ad,ex
audit class
#
# mask:name:description
#
0x00000000:no:invalid class
0x00000001:fr:file read
0x00000002:fw:file write
0x00000004:fa:file attribute access
0x00000008:fm:file attribute modify
0x00000010:fc:file create
0x00000020:fd:file delete
0x00000040:cl:file close
0x00000100:nt:network
0x00000200:ip:ipc
0x00000400:na:non-attribute
0x00001000:lo:login or logout
0x00004000:ap:application
0x00010000:ss:change system state
0x00020000:as:system-wide administration
0x00040000:ua:user administration
0x00070000:am:administrative (meta-class)
0x00080000:aa:audit utilization
0x000f0000:ad
ld administrative (meta-class)0x00100000
srocess start/stop0x00200000
mrocess modify0x00300000
crocess (meta-class)0x20000000:io:ioctl
0x40000000:ex:exec
0x80000000
tther0xffffffff:all:all classes (meta-class)
0x08000000:cc:CIS custom class
I only need to audit what users execute. Is there an easy way to do it.
Thanks
|
|
10 More Discussions You Might Find Interesting
1. Solaris
I'm looking for a software to capture my systems logs, and bsm (basic security module) logs to centralise the administration. Do you have a suggestions. Opensource or not. (6 Replies)
Discussion started by: simquest
6 Replies
2. Programming
I have a C program and want to write messages to a log. BSM is being used for O/S auditing. Can I write my messages to the BSM log? If so, how do I do that? I'm not finding any API's for that. Any URLs, samples, guidance would be appreciated. (0 Replies)
Discussion started by: JDO
0 Replies
3. Solaris
I got a lot of this message in my /var/audit log
how can I exclude this message?
header,127,2,invalid event number,fe,hostsol1.com.sg,2007-12-21 00:10:01.001 +08:00,argument,1,0x5,processor ID,argument
,2,0x3,flag,text,P_STATUS,subject,zhang1,root,root,root,root,18228,576129155,291 131094... (1 Reply)
Discussion started by: geoffry
1 Replies
4. Solaris
How do I setup audit to alert on write conditions for individual files? Thanks. (3 Replies)
Discussion started by: dxs
3 Replies
5. Solaris
Hello,
I was wondering when Solaris auditing is enabled, If it is possible to keep track of users that are allowed to sudo to root. In other words, I would like to know which user did what on my Solaris box. (assumig that user can "sudo su -" )
Thanks. (2 Replies)
Discussion started by: niyazi
2 Replies
6. Solaris
Let me preface with I am semi-new to Solaris. I work with it in the labs at work and that's about my extent (although I run Linux at home).
Well, a week ago security comes around with updated requirements, some of which are the need to audit all failures. For the life of me I cannot get a... (0 Replies)
Discussion started by: mph275
0 Replies
7. Solaris
Hi ,
I don't want logs from a particular "library" to get recorded in the audit.log file. Is that possible with BSM? Please guide.
Thanks. (2 Replies)
Discussion started by: chinchao
2 Replies
8. Solaris
New to Solaris in general (coming from a RHEL background) I'm trying to enable auditing on the system with the following in /etc/security/audit_control:
But there are two areas where it seems to break with expected behavior (maybe it's poor expectations on my part):
1) it seems to be... (0 Replies)
Discussion started by: thmnetwork
0 Replies
9. Solaris
Hi all,
I'm trying to read Solaris BSM log in user friendly form. Found old tools including bsmparser java tool and php code. But none of them working. What are you using for parsing BSM log? (2 Replies)
Discussion started by: sembii
2 Replies
10. Solaris
Hello,
Im glad to become a member of this forums,
Im new on solaris and recentrly im introducing to use auditing service in that system.
The need is, that I need how to exclude a directory to the audit service not audit it.
And, a plus, I need of how to disable auditing the root user in... (0 Replies)
Discussion started by: sysh4ck
0 Replies
LEARN ABOUT HPUX
audit_class
audit_class(4) File Formats audit_class(4) NAME
audit_class - audit class definitions SYNOPSIS
/etc/security/audit_class DESCRIPTION
/etc/security/audit_class is a user-configurable ASCII system file that stores class definitions used in the audit system. Audit events in audit_event(4) are mapped to one or more of the defined audit classes. audit_event can be updated in conjunction with changes to audit_class. See audit_control(4) and audit_user(4) for information about changing the preselection of audit classes in the audit system. Programs can use the getauclassent(3BSM) routines to access audit class information. The fields for each class entry are separated by colons. Each class entry is a bitmap and is separated from each other by a newline. Each entry in the audit_class file has the form: mask:name:description The fields are defined as follows: mask class mask name class name description class description Each class is represented as a bit in the class mask which is an unsigned integer. Thus, there are 32 different classes available. Meta- classes can also be defined. These are supersets composed of multiple base classes, and thus will have more than 1 bit in its mask. See EXAMPLES. Two special meta-classes are also pre-defined: all, and no. all Represents a conjunction of all allowed classes, and is provided as a shorthand method of specifying all classes. no Is the invalid class, and any event mapped solely to this class will not be audited. Turning auditing on to the all meta class will not cause events mapped solely to the no class to be written to the audit trail. This class is also used to map obsolete events which are no longer generated. Obsolete events are retained to process old audit trails files. EXAMPLES
Example 1: Using an audit_class File The following is an example of an audit_class file: 0x00000000:no:invalid class 0x00000001:fr:file read 0x00000002:fw:file write 0x00000004:fa:file attribute access 0x00000008:fm:file attribute modify 0x00000010:fc:file create 0x00000020:fd:file delete 0x00000040:cl:file close 0x00000100:nt:network 0x00000200:ip:ipc 0x00000400:na:non-attribute 0x00001000:lo:login or logout 0x00004000:ap:application 0x000f0000:ad:old administrative (meta-class) 0x00070000:am:administrative (meta-class) 0x00010000:ss:change system state 0x00020000:as:system-wide administration 0x00040000:ua:user administration 0x00080000:aa:audit utilization 0x00300000:pc:process (meta-class) 0x00100000:ps:process start/stop 0x00200000:pm:process modify 0x20000000:io:ioctl 0x40000000:ex:exec 0x80000000:ot:other 0xffffffff:all:all classes (meta-class) FILES
/etc/security/audit_class ATTRIBUTES
See attributes(5) for descriptions of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +-----------------------------+-----------------------------+ |Interface Stability | See below | +-----------------------------+-----------------------------+ The file format stability is evolving. The file content is unstable. SEE ALSO
bsmconv(1M), au_preselect(3BSM), getauclassent(3BSM), audit_control(4), audit_event(4), audit_user(4), attributes(5) NOTES
It is possible to deliberately turn on the no class in the kernel, in which case the audit trail will be flooded with records for the audit event AUE_NULL. This functionality is available only if the Basic Security Module (BSM) has been enabled. See bsmconv(1M) for more information. SunOS 5.10 6 Jan 2003 audit_class(4)