03-02-2008
Quote:
Originally Posted by
geoffry
I got a lot of this message in my /var/audit log
how can I exclude this message?
header,127,2,invalid event number,fe,hostsol1.com.sg,2007-12-21 00:10:01.001 +08:00,argument,1,0x5,processor ID,argument
,2,0x3,flag,text,P_STATUS,subject,zhang1,root,root,root,root,18228,576129155,291 131094 10.88.95.158,return,failure: Invalid
argument,-1
If you want to exclude a specific audit event from the audit trail you have two choises:
- don't audit the class which the event belongs to
- edit
/etc/security/audit_event and remove the event class
10 More Discussions You Might Find Interesting
1. Solaris
I'm looking for a software to capture my systems logs, and bsm (basic security module) logs to centralise the administration. Do you have a suggestions. Opensource or not. (6 Replies)
Discussion started by: simquest
6 Replies
2. Programming
I have a C program and want to write messages to a log. BSM is being used for O/S auditing. Can I write my messages to the BSM log? If so, how do I do that? I'm not finding any API's for that. Any URLs, samples, guidance would be appreciated. (0 Replies)
Discussion started by: JDO
0 Replies
3. UNIX for Dummies Questions & Answers
Hi Guys,
I am new to this forum so I am sorry if i posted this thread in the wrong place. I am currently trying to get BSM to work on solaris 10 by Logging few things for me. I need your help to complete this task please.
this is the config of the audit files:
audit_conto
# Copyright... (18 Replies)
Discussion started by: skywalker850i
18 Replies
4. Solaris
How do I know that audit is enabled in soalris. in AIX 'audit query' command gives me the info whether auditing is on or not.
Raghav (1 Reply)
Discussion started by: raghavender_sri
1 Replies
5. Solaris
can you please share what you use to audit what files are deleted, when files are deleted and who deleted them?
thx (1 Reply)
Discussion started by: melanie_pfefer
1 Replies
6. Solaris
Hi Friends
I am a Solaries newbie and I am looking out for a software or command or config that can capture all commands run by all users on a server on a daily basis. I believe that this Audit is being done in almost all enterprises and would like to know how the same is done there.
Any... (3 Replies)
Discussion started by: Hari_Ganesh
3 Replies
7. Solaris
Let me preface with I am semi-new to Solaris. I work with it in the labs at work and that's about my extent (although I run Linux at home).
Well, a week ago security comes around with updated requirements, some of which are the need to audit all failures. For the life of me I cannot get a... (0 Replies)
Discussion started by: mph275
0 Replies
8. Cybersecurity
Hi,
I keep encountering events in the BSM/C2 logs which shows that the audit-user who performed the event is the user (e.g. ongkk in the example below). However, the user is able to show me that he wasn't logged in at that time nor have the rights to perform the event (e.g. su in this example).... (5 Replies)
Discussion started by: BERNIELEE68
5 Replies
9. Solaris
Dear All,
I have one of my Servers, running Solaris 9. I wanna enable the Audit log enabling, the way I did in Solaris 10 Servers.
After running, the bsmconv script, giving the reboots, modifying all the audit files in /etc/security, the audit is enabled, but the audit file which shall be... (3 Replies)
Discussion started by: sumeet1806
3 Replies
10. Solaris
Hi all,
I'm trying to read Solaris BSM log in user friendly form. Found old tools including bsmparser java tool and php code. But none of them working. What are you using for parsing BSM log? (2 Replies)
Discussion started by: sembii
2 Replies
LEARN ABOUT XFREE86
au_preselect
au_preselect(3BSM) au_preselect(3BSM)
NAME
au_preselect - preselect an audit event
SYNOPSIS
cc [ flag... ] file... -lbsm -lsocket -lnsl [ library... ]
#include <bsm/libbsm.h>
int au_preselect(au_event_t event, au_mask_t *mask_p, int sorf, int flag);
The au_preselect() function determines whether the audit event event is preselected against the binary preselection mask pointed to by
mask_p (usually obtained by a call to getaudit(2)). The au_preselect() function looks up the classes associated with event in
audit_event(4) and compares them with the classes in mask_p. If the classes associated with event match the classes in the specified por-
tions of the binary preselection mask pointed to by mask_p, the event is said to be preselected.
The sorf argument indicates whether the comparison is made with the success portion, the failure portion, or both portions of the mask
pointed to by mask_p.
The following are the valid values of sorf:
AU_PRS_SUCCESS Compare the event class with the success portion of the preselection mask.
AU_PRS_FAILURE Compare the event class with the failure portion of the preselection mask.
AU_PRS_BOTH Compare the event class with both the success and failure portions of the preselection mask.
The flag argument tells au_preselect() how to read the audit_event(4) database. Upon initial invocation, au_preselect() reads the
audit_event(4) database and allocates space in an internal cache for each entry with malloc(3C). In subsequent invocations, the value of
flag determines where au_preselect() obtains audit event information. The following are the valid values of flag:
AU_PRS_REREAD Get audit event information by searching the audit_event(4) database.
AU_PRS_USECACHE Get audit event information from internal cache created upon the initial invocation. This option is much faster.
Upon successful completion,au_preselect() returns 0 if event is not preselected or 1 if event is preselected. If au_preselect() could not
allocate memory or could not find event in the audit_event(4) database, -1 is returned.
/etc/security/audit_class file mapping audit class number to audit class names and descriptions
/etc/security/audit_event file mappint audit even number to audit event names and associates
See attributes(5) for a description of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|Interface Stability |Stable |
+-----------------------------+-----------------------------+
|MT-Level |MT-Safe |
+-----------------------------+-----------------------------+
bsmconv(1M), getaudit(2), au_open(3BSM), getauclassent(3BSM), getauevent(3BSM), malloc(3C), audit_class(4), audit_event(4), attributes(5)
The au_preselect() function is normally called prior to constructing and writing an audit record. If the event is not preselected, the
overhead of constructing and writing the record can be saved.
The functionality described on this manual page is available only if the Basic Security Module (BSM) has been enabled. See bsmconv(1M) for
more information.
31 Mar 2005 au_preselect(3BSM)