|
|
Sponsored Content
Operating Systems
Solaris
how to enable file auditing
Post 302203678 by DukeNuke2 on Monday 9th of June 2008 01:53:53 PM
06-09-2008
|
|
10 More Discussions You Might Find Interesting
1. Solaris
Hi, I was wondering if anyone has had the problem I'm having or knows how to fix it. I need to audit one of our servers at work. I turned on BSM auditing and modified the audit_control file to only flag the "lo" class(login/outs) then I rebooted. I viewed the log BSM created and it shows a whole... (0 Replies)
Discussion started by: BlueKalel
0 Replies
2. UNIX for Dummies Questions & Answers
Hello everbody:
I have a file on the system, I need to check who was the last user who accessed or modified it, and if i can get any further details i can get like IP or access time,etc.
do you have any idea about simple concept or way i can do that in unix tru64 or solaris 9?
thanks in advance... (2 Replies)
Discussion started by: aladdin
2 Replies
3. Solaris
How do I setup audit to alert on write conditions for individual files? Thanks. (3 Replies)
Discussion started by: dxs
3 Replies
4. UNIX for Advanced & Expert Users
:)I need a little help. I have sent all of our logs to our log server, but I can't send the audit logs that are in /var/log/audit.log. Can someone give me some type of idea to transfer these logs.
Thank You (2 Replies)
Discussion started by: aojmoj
2 Replies
5. UNIX for Advanced & Expert Users
Hi All,
I have a requirement to report us on changing a group of static files.
Those are the binary files that run in Production every day.
Due to the in sercure environment situations, I found many are indulging in there own changes to the binaries by doing some changes in the souce code.
... (1 Reply)
Discussion started by: mohan_kumarcs
1 Replies
6. UNIX for Advanced & Expert Users
Hello,
We need to log the operations that specific user on Solaris 10 (SPARC) is performing on one directory and it's contents. I was able to configure solaris auditing service (auditd) and it works fine. The only problem is that auditd logs huge amount of unneeded information. We need to log... (0 Replies)
Discussion started by: +Yan
0 Replies
7. Solaris
I want to periodically check if ASCII password/config files on Unix have 400 or 600 access. Folders and files are owned by designated group and user. Folders and Files do not have world write access.
Are there any tools/scripts available for this kind of auditing that I can use on Solaris? (7 Replies)
Discussion started by: kchinnam
7 Replies
8. Shell Programming and Scripting
I need a command line that will ls -l a directory and pick (grep?) all files that don't match a desired owner without losing track of the filename at any point. This way I can list later on "here are all the files with an incorrect owner". Thanks in advance (4 Replies)
Discussion started by: stevensw
4 Replies
9. SCO
edit: solution found
Auditing Quick Start and Compatibility Notes (1 Reply)
Discussion started by: Linusolaradm1
1 Replies
10. Solaris
Hello Solaris Team,
We would like to implement some audit policy (using a log file) in Solaris 10 in order to record the following data in columns per all users:
1. Date
2. Time
3. User
4. Command executed
5. Terminal
6. IP Address
Could you please help me in order to... (2 Replies)
Discussion started by: csierra
2 Replies
LEARN ABOUT HPUX
audevent
audevent(1M) audevent(1M) NAME
audevent - change or display profile, event, or system call audit status SYNOPSIS
profile] event]... syscall]... DESCRIPTION
changes or displays the auditing status of the given profile, event categories, or system calls. A list of pre-defined profiles, event categories, and system call names is given in Any site-specific customizations must be added to See audit.conf(4) for more details. A pro- file consists of a set of operations (event categories, self-auditing events, and system calls) that affect a particular type of system. An event category consists of a set of operations (self-auditing events and system calls) that affect a particular aspect of the system. If neither nor is specified, the current status of the selected profiles, event categories, or system calls is displayed. If the option is supplied, it is redundant to use to specify particular events. This also applies in the same way to the and options. If no event category is specified, all event categories associated with the selected profile are selected. If no system call is specified, all system calls associated with the selected profile and event categories are selected. At most one profile may be selected. takes effect immediately. However, the events and system calls specified are audited only when called by a user currently being audited (see audit(5)). If is specified, a list of valid profiles, event categories and system calls are displayed. This option may be helpful when deciding which profile, event, or syscall to use with the or options respectively. The same information can also be found in (see audit.conf(4)). Note: The set of audited system calls and corresponding audit events will change as HP-UX continues to evolve. Only a privileged user can change or display audit status. Options recognizes the following options and command-line arguments: Audit successful events or system calls. Do not audit successful events or system calls. Audit failed events or system calls. Do not audit failed events or system calls. Select profile to change or display. Select all events to change or display. Select event to change or display. The event must be a valid event category (base event or event alias) that is defined in or Select all system calls to change or display. Select syscall to change or display. The syscall must be a valid system call name or system call alias name that is defined in or Display a list of valid profiles, event categories, and system calls. This option must not be used with any other options. The following is a list of the pre-defined event types or categories: Object creation. For example: file creation, directory creation, and other object creation. Object deletion. For example: file deletion, directory deletion, and other object deletion. Discretionary access control (DAC) information reading events. DAC modification events. Non-DAC modification events. Object opening. For example: file open and other object open. Object closing. For example: file close and other object close. Process operations. Removable media events. For example: mounting and unmounting events. Login and logout events not related to any particular system call. All administrative and privileged events. Interprocess Communication (IPC) object creation. IPC object opening. IPC object deletion. IPC Datagram transactions. User-defined event 1 (for self-auditing records). User-defined event 2 (for self-auditing records). User-defined event 3 (for self-auditing records). EXAMPLES
Example 1: To display the list of valid profiles, event categories, and system calls as defined in file and use: Example 2: To display the current audit event selection status, use: The selection status for self-auditing events will be listed first, followed by the selection status for system calls. Example 3: To audit all and only the events that are associated with profile basic for auditing, use: Example 4: To audit all bad login attempts, use: Without doing a first, this configuration will be made incremental to what has already been configured before. WARNINGS
All modifications made to the auditing system are lost upon reboot. To make the changes permanent, set or in AUTHOR
was developed by HP. FILES
File containing event mapping information File containing site-specific event mapping information. SEE ALSO
audisp(1M), audomon(1M), audsys(1M), audusr(1M), audit.conf(4), audit(5). audevent(1M)