Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Solaris BSM audit log
Operating Systems Solaris Solaris BSM audit log Post 302172143 by auditd on Sunday 2nd of March 2008 08:32:45 PM
Old 03-02-2008
Quote:
Originally Posted by geoffry
I got a lot of this message in my /var/audit log

how can I exclude this message?

header,127,2,invalid event number,fe,hostsol1.com.sg,2007-12-21 00:10:01.001 +08:00,argument,1,0x5,processor ID,argument
,2,0x3,flag,text,P_STATUS,subject,zhang1,root,root,root,root,18228,576129155,291 131094 10.88.95.158,return,failure: Invalid
argument,-1
If you want to exclude a specific audit event from the audit trail you have two choises:
- don't audit the class which the event belongs to
- edit /etc/security/audit_event and remove the event class
 

10 More Discussions You Might Find Interesting

1. Solaris

Solaris BSM log software

I'm looking for a software to capture my systems logs, and bsm (basic security module) logs to centralise the administration. Do you have a suggestions. Opensource or not. (6 Replies)
Discussion started by: simquest
6 Replies

2. Programming

how to write to Solaris BSM log

I have a C program and want to write messages to a log. BSM is being used for O/S auditing. Can I write my messages to the BSM log? If so, how do I do that? I'm not finding any API's for that. Any URLs, samples, guidance would be appreciated. (0 Replies)
Discussion started by: JDO
0 Replies

3. UNIX for Dummies Questions & Answers

solaris BSM and Auditing

Hi Guys, I am new to this forum so I am sorry if i posted this thread in the wrong place. I am currently trying to get BSM to work on solaris 10 by Logging few things for me. I need your help to complete this task please. this is the config of the audit files: audit_conto # Copyright... (18 Replies)
Discussion started by: skywalker850i
18 Replies

4. Solaris

audit in solaris

How do I know that audit is enabled in soalris. in AIX 'audit query' command gives me the info whether auditing is on or not. Raghav (1 Reply)
Discussion started by: raghavender_sri
1 Replies

5. Solaris

audit in solaris 10

can you please share what you use to audit what files are deleted, when files are deleted and who deleted them? thx (1 Reply)
Discussion started by: melanie_pfefer
1 Replies

6. Solaris

Audit in Solaris Servers.

Hi Friends I am a Solaries newbie and I am looking out for a software or command or config that can capture all commands run by all users on a server on a daily basis. I believe that this Audit is being done in almost all enterprises and would like to know how the same is done there. Any... (3 Replies)
Discussion started by: Hari_Ganesh
3 Replies

7. Solaris

BSM auditing issues, need to audit "permission denied"

Let me preface with I am semi-new to Solaris. I work with it in the labs at work and that's about my extent (although I run Linux at home). Well, a week ago security comes around with updated requirements, some of which are the need to audit all failures. For the life of me I cannot get a... (0 Replies)
Discussion started by: mph275
0 Replies

8. Cybersecurity

audit user in BSM/C2 Log

Hi, I keep encountering events in the BSM/C2 logs which shows that the audit-user who performed the event is the user (e.g. ongkk in the example below). However, the user is able to show me that he wasn't logged in at that time nor have the rights to perform the event (e.g. su in this example).... (5 Replies)
Discussion started by: BERNIELEE68
5 Replies

9. Solaris

Enabling Solaris Audit log: Solaris 9

Dear All, I have one of my Servers, running Solaris 9. I wanna enable the Audit log enabling, the way I did in Solaris 10 Servers. After running, the bsmconv script, giving the reboots, modifying all the audit files in /etc/security, the audit is enabled, but the audit file which shall be... (3 Replies)
Discussion started by: sumeet1806
3 Replies

10. Solaris

How can I read Solaris BSM log?

Hi all, I'm trying to read Solaris BSM log in user friendly form. Found old tools including bsmparser java tool and php code. But none of them working. What are you using for parsing BSM log? (2 Replies)
Discussion started by: sembii
2 Replies

LEARN ABOUT XFREE86

au_preselect

au_preselect(3BSM)														au_preselect(3BSM)

NAME

       au_preselect - preselect an audit event

SYNOPSIS

       cc [ flag... ] file... -lbsm -lsocket -lnsl  [ library... ]
       #include <bsm/libbsm.h>

       int au_preselect(au_event_t event, au_mask_t *mask_p, int sorf, int flag);

       The  au_preselect()  function  determines  whether the audit event event is preselected	against the binary preselection mask pointed to by
       mask_p (usually obtained by a  call  to	getaudit(2)).  The  au_preselect()  function  looks  up  the  classes  associated  with  event	in
       audit_event(4)  and  compares them with the classes in mask_p. If the classes associated with event match the classes in the specified por-
       tions of the binary preselection mask  pointed to by mask_p, the event is said to be preselected.

       The sorf argument indicates whether the comparison is made with the success portion, the failure portion, or  both  portions  of  the  mask
       pointed to by mask_p.

       The following are the valid values of sorf:

       AU_PRS_SUCCESS	       Compare the event class with the success portion of the preselection mask.

       AU_PRS_FAILURE	       Compare the event class with the failure portion of the preselection mask.

       AU_PRS_BOTH	       Compare the event class with both the success and failure portions of the  preselection mask.

       The  flag  argument  tells  au_preselect()  how	to  read  the  audit_event(4)  database. Upon initial invocation, au_preselect() reads the
       audit_event(4) database and allocates space in an internal cache for each entry with malloc(3C). In subsequent invocations,  the  value	of
       flag determines where au_preselect() obtains audit event information. The following are the valid values of flag:

       AU_PRS_REREAD	       Get audit event information by searching the audit_event(4) database.

       AU_PRS_USECACHE	       Get audit event information from internal cache created upon the initial invocation. This option is much faster.

       Upon  successful  completion,au_preselect() returns 0 if event is not preselected or 1 if event is preselected. If au_preselect() could not
       allocate memory or could not find  event in the audit_event(4) database, -1 is returned.

       /etc/security/audit_class       file mapping audit class number to audit class names and descriptions

       /etc/security/audit_event       file mappint audit even number to audit event names and associates

       See attributes(5) for a description of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Stable			   |
       +-----------------------------+-----------------------------+
       |MT-Level		     |MT-Safe			   |
       +-----------------------------+-----------------------------+

       bsmconv(1M), getaudit(2), au_open(3BSM), getauclassent(3BSM), getauevent(3BSM), malloc(3C), audit_class(4), audit_event(4), attributes(5)

       The au_preselect() function is normally called prior to constructing and writing an audit record. If the  event	is  not  preselected,  the
       overhead of constructing and writing the  record can be saved.

       The functionality described on this manual page is available only if the Basic Security Module (BSM) has been enabled.  See bsmconv(1M) for
       more information.

								    31 Mar 2005 						au_preselect(3BSM)
All times are GMT -4. The time now is 08:34 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy