Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Solaris Auditing: Newly specified events not being logged
Special Forums Cybersecurity Solaris Auditing: Newly specified events not being logged Post 302503791 by DraconianTimes on Friday 11th of March 2011 04:52:46 PM
Old 03-11-2011
Whilst I do use Solaris auditing on all my boxes, I don't currently have access to my test system to try out the syslog plugin. A few thoughts:

1. Are you seeing the lo events in the syslog feed?
2. Are you able to see the fd events if you configure audit to write them to file?
3. All the documentation* examples for the syslog plugin show p_flags entries as preceeded by either a "+" or "-" - perhaps try adding these?

(SAG: Security Services, #816-4557-19, Sep 2010)
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

solaris BSM and Auditing

Hi Guys, I am new to this forum so I am sorry if i posted this thread in the wrong place. I am currently trying to get BSM to work on solaris 10 by Logging few things for me. I need your help to complete this task please. this is the config of the audit files: audit_conto # Copyright... (18 Replies)
Discussion started by: skywalker850i
18 Replies

2. Solaris

Solaris 9 Auditing

How do I setup audit to alert on write conditions for individual files? Thanks. (3 Replies)
Discussion started by: dxs
3 Replies

3. AIX

Auditing events

Hi there, I want to enable auditing for the following events in a critical AIX UNIX server by editing the /etc/syslog.conf file: Authentication events (login success, login failure, logout) Privilege use events (change to another user etc.) ... (1 Reply)
Discussion started by: venksel
1 Replies

4. UNIX for Advanced & Expert Users

File Auditing in Sun Solaris environment

Hi All, I have a requirement to report us on changing a group of static files. Those are the binary files that run in Production every day. Due to the in sercure environment situations, I found many are indulging in there own changes to the binaries by doing some changes in the souce code. ... (1 Reply)
Discussion started by: mohan_kumarcs
1 Replies

5. Solaris

Solaris user auditing

Hello, I was wondering when Solaris auditing is enabled, If it is possible to keep track of users that are allowed to sudo to root. In other words, I would like to know which user did what on my Solaris box. (assumig that user can "sudo su -" ) Thanks. (2 Replies)
Discussion started by: niyazi
2 Replies

6. Solaris

Newly Compiled GCC 4.4.4 on Solaris sparc gives problem with -m32/-m64 flags

Hello experts, This issue has kept me busy all day long. It started off with openssl compilation which was giving linking error with following message: /usr/local/bin/ld: target elf32-sparc not found collect2: ld returned 1 exit status I tried every step possible thing that I could think... (2 Replies)
Discussion started by: d_shanke
2 Replies

7. Solaris

Solaris- How to scan newly attached NIC's

Hi folks, How can I scan newly attached network interfaces to server without reboot? Is there any command or something to scan without reboot. Thanks (5 Replies)
Discussion started by: snchaudhari2
5 Replies

8. Solaris

Newly relabelled disc unable to initialize to Solaris 8 login - please help

We are having a problem with initializing Solaris 8 installed on a Sunblade 1500 after having cloned the hard disc. (The cloning process was done in a windows environment. Not a UNIX environment.) Immediately after the cloning process neither hard disc would boot until the format label... (10 Replies)
Discussion started by: DR_RALT
10 Replies

9. Solaris

Could not logon to newly installed Solaris 11.2

Dear Solaris 11 experts, I can not logon to a newly installed Solaris 5.11 11.2 i86pc i386 i86pc just downloaded today, despite having entered username and password to be created. However, I cannot get on to this workstation after Solaris installation completion. Can you advice how to reset my... (5 Replies)
Discussion started by: gjackson123
5 Replies

10. Solaris

Exclude an specific directory for auditing in Solaris 10

Hello, Im glad to become a member of this forums, Im new on solaris and recentrly im introducing to use auditing service in that system. The need is, that I need how to exclude a directory to the audit service not audit it. And, a plus, I need of how to disable auditing the root user in... (0 Replies)
Discussion started by: sysh4ck
0 Replies

LEARN ABOUT PHP

audit_syslog

audit_syslog(5) 					Standards, Environments, and Macros					   audit_syslog(5)

NAME

       audit_syslog - realtime conversion of Solaris audit data to syslog messages

SYNOPSIS

       /usr/lib/security/audit_syslog.so

DESCRIPTION

       The  audit_syslog plugin module for Solaris audit, /usr/lib/security/audit_syslog.so, provides realtime conversion of Solaris audit data to
       syslog-formatted (text) data and sends it to a syslog daemon as configured in syslog.conf(4). The plugin's path is specified in	the  audit
       configuration file, audit_control(4).

       Messages  to syslog are written if selected via the plugin option in audit_control. Syslog messages are generated with the facility code of
       LOG_AUDIT (audit in syslog.conf(4)) and severity of LOG_NOTICE. Audit syslog messages contain data selected from the tokens  described  for
       the  binary  audit  log. (See audit.log(4)). As with all syslog messages, each line in a syslog file consists of two parts, a syslog header
       and a message.

       The syslog header contains the date and time the message was generated, the host name from which it was sent, auditd to	indicate  that	it
       was  generated  by  the	audit daemon, an ID field used internally by syslogd, and audit.notice indicating the syslog facility and severity
       values. The syslog header ends with the characters "] ", that is, a closing square bracket and a space.

       The message part starts with the event type from the header token. All subsequent data appears only if  contained  in  the  original  audit
       record and there is room in the 1024-byte maximum length syslog line. In the following example, the backslash () indicates a continuation;
       actual syslog messages are contained on one line:

       Oct 31 11:38:08 smothers auditd: [ID 917521 audit.notice] chdir(2) ok
       session 401 by joeuser as root:other from myultra obj /export/home

       In the preceding example, chdir(2) is the event type. Following this field is additional data, described below. This data is omitted if	it
       is not contained in the source audit record.

       ok or failed

	   Comes from the return or exit token.

       session <#>

	   <#> is the session ID from the subject token.

       by <name>

	   <name> is the audit ID from the subject token.

       as <name>:<group>

	   <name> is the effective user ID and <group> is the effective group ID from the subject token.

       in <zone name>

	   The zone name. This field is generated only if the zonename audit policy is set.

       from <terminal>

	   <terminal> is the text machine address from the subject token.

       obj <path>

	   <path>  is the path from the path token The path can be truncated from the left if necessary to fit it on the line. Truncation is indi-
	   cated by leading ellipsis (...).

       proc_uid <owner>

	   <owner> is the effective user ID of the process owner.

       proc_auid <owner>

	   <owner> is the audit ID of the process owner.

       The following are example syslog messages:

       Nov  4  8:27:07 smothers auditd: [ID 175219 audit.notice] 
       system booted

       Nov  4  9:28:17 smothers auditd: [ID 752191 audit.notice] 
       login - rlogin ok session 401 by joeuser as joeuser:staff from myultra

       Nov  4 10:29:27 smothers auditd: [ID 521917 audit.notice] 
       access(2) ok session 255 by janeuser as janeuser:staff from 129.146.89.30 
       obj /etc/passwd

OBJECT ATTRIBUTES

       The p_flag attribute, specified by means of the plugin directive (see audit_control(4)), is used to further filter audit data being sent to
       the  syslog daemon beyond the classes specified through the flags and naflags lines of audit_control and through the user-specific lines of
       audit_user(4). The parameter is a comma-separated list; each item represents an audit class (see audit_class(4)) and is specified using the
       same  syntax used in audit_control for the flags and naflags lines. The default (no p_flags listed) is that no audit records will be gener-
       ated.

EXAMPLES

       Example 1: One Use of the plugin Line

       In the specification shown below, the plugin line (in conjunction with flags and naflags) is used to allow class records for lo but  allows
       class  records for am for failures only. Omission of the fm class records results in no fm class records being output. The pc parameter has
       no effect because you cannot add classes to those defined by means of flags and naflags and by audit_user(4). You can only remove them.

       flags: lo,am,fm
       naflags: lo
       plugin: name=audit_syslog.so; p_flags=lo,-am

       Example 2: Use of all

       In the specification shown below, with one exception, all allows all flags defined by means of flags and naflags (and  audit_user(4)).  The
       exception  the  am metaclass, which is equivalent to ss,as,ua, which is modified to output all ua events but only failure events for ss and
       as.

       flags: lo,am
       naflags: lo
       plugin: name=audit_syslog.so; p_flags=all,^+ss,^+as

ATTRIBUTES

       See attributes(5) for a description of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |MT Level		     |MT-Safe			   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |: 			   |
       +-----------------------------+-----------------------------+
       | message format 	     |Unstable			   |
       +-----------------------------+-----------------------------+
       | message content	     |Unstable			   |
       +-----------------------------+-----------------------------+
       | config parameters	     |Evolving			   |
       +-----------------------------+-----------------------------+

SEE ALSO

       auditd(1M), audit_class(4), audit_control(4), syslog.conf(4), attributes(5)

NOTES

       Use of the plugin configuration line to include audit_syslog.so requires that /etc/syslog.conf is configured to store  syslog  messages	of
       facility audit and severity notice or above in a file intended for Solaris audit records. An example of such a line in syslog.conf is:

       audit.notice		   /var/audit/audit.log

       Messages  from  syslog  are sent to remote syslog servers by means of UDP, which does not guarantee delivery or ensure the correct order of
       arrival of messages.

       If the parameters specified for the plugin line result in no classes being preselected, an error is reported by means  of  a  syslog  alert
       with the LOG_DAEMON facility code.

       The  time  field in the syslog header is generated by syslog(3C) and only approximates the time given in the binary audit log. Normally the
       time field shows the same whole second or at most a few seconds' difference.

SunOS 5.10							    26 Aug 2004 						   audit_syslog(5)
All times are GMT -4. The time now is 01:22 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy