Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: audit user in BSM/C2 Log
Special Forums Cybersecurity audit user in BSM/C2 Log Post 302544316 by DGPickett on Wednesday 3rd of August 2011 12:21:46 PM
Old 08-03-2011
Check the crontab files? Check for user processes running in a loop awaiting the right time for this activity? Check for remote access by ssh or the like? Seems like a case where the effective user was allowed and his id was the not-effective user. Look for set-uid code, too.
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

audit user activity - possible?

Hi, I have been asked if it is possible to track the last time a specific user logged in to the sysetm. checked my documentation but can't see it there - google is not being very helpful either. I wonder if someone here can help - it will be much appreciated. Thanks Suresh (1 Reply)
Discussion started by: sureshy
1 Replies

2. Solaris

Solaris BSM log software

I'm looking for a software to capture my systems logs, and bsm (basic security module) logs to centralise the administration. Do you have a suggestions. Opensource or not. (6 Replies)
Discussion started by: simquest
6 Replies

3. Programming

how to write to Solaris BSM log

I have a C program and want to write messages to a log. BSM is being used for O/S auditing. Can I write my messages to the BSM log? If so, how do I do that? I'm not finding any API's for that. Any URLs, samples, guidance would be appreciated. (0 Replies)
Discussion started by: JDO
0 Replies

4. Solaris

Solaris BSM audit log

I got a lot of this message in my /var/audit log how can I exclude this message? header,127,2,invalid event number,fe,hostsol1.com.sg,2007-12-21 00:10:01.001 +08:00,argument,1,0x5,processor ID,argument ,2,0x3,flag,text,P_STATUS,subject,zhang1,root,root,root,root,18228,576129155,291 131094... (1 Reply)
Discussion started by: geoffry
1 Replies

5. UNIX for Advanced & Expert Users

audit user commands of different users under root account

Hi, I would like to know if there is anyway that I can pinpoint the user before/after he connects to the root? Also, I'm trying to find out what are the commands he inputs under root access. (6 Replies)
Discussion started by: pointgetter0
6 Replies

6. Solaris

BSM auditing issues, need to audit "permission denied"

Let me preface with I am semi-new to Solaris. I work with it in the labs at work and that's about my extent (although I run Linux at home). Well, a week ago security comes around with updated requirements, some of which are the need to audit all failures. For the life of me I cannot get a... (0 Replies)
Discussion started by: mph275
0 Replies

7. AIX

When AIX audit start, How to set the /audit/stream.out file size ?

Dear All When I start the AIX(6100-06)audit subsystem. the log will save in /audit/stream.out (or /audit/trail), but in default when /audit/stream.out to grow up to 150MB. It will replace the original /audit/stream.out (or /audit/trail). Then the /audit/stream.out become empty and... (2 Replies)
Discussion started by: nnnnnnine
2 Replies

8. Cybersecurity

Audit on specific user in linux

Hi All, Please let me how to enable user specific audit in Linux server. Say i have specific user namely admin1,admin2,admin3 apart from the normal users, user1,2,3.....userN. How to enable audit for users admin1,admin2 and admin3 alone. Also please let me know, if this would have any... (4 Replies)
Discussion started by: pradebban
4 Replies

9. Shell Programming and Scripting

Audit user activity

Need some help in coming up to log all the activity that is used with our common "unix account". Ideally I am looking for to log the activity in a "separate" file for each session or login until the user logout, I would like to capture the date/time and terminal login and record all the ... (3 Replies)
Discussion started by: rajmanna
3 Replies

10. Solaris

How can I read Solaris BSM log?

Hi all, I'm trying to read Solaris BSM log in user friendly form. Found old tools including bsmparser java tool and php code. But none of them working. What are you using for parsing BSM log? (2 Replies)
Discussion started by: sembii
2 Replies

LEARN ABOUT OPENSOLARIS

setegid

setuid(2)							   System Calls 							 setuid(2)

NAME

       setuid, setegid, seteuid, setgid - set user and group IDs

SYNOPSIS

       #include <sys/types.h>
       #include <unistd.h>

       int setuid(uid_t uid);

       int setgid(gid_t gid);

       int seteuid(uid_t euid);

       int setegid(gid_t egid);

DESCRIPTION

       The  setuid()  function	sets the real user ID, effective user ID, and saved user ID of the calling process. The setgid() function sets the
       real group ID, effective group ID, and saved group ID of the calling process. The setegid() and seteuid() functions set the effective group
       and user IDs respectively for the calling process. See Intro(2) for more information on real, effective, and saved user and group IDs.

       At  login time, the real user ID, effective user ID, and saved user ID of the login process are set to the login ID of the user responsible
       for the creation of the process. The same is true for the real, effective, and saved group IDs; they are set to the group ID  of  the  user
       responsible for the creation of the process.

       When  a process calls one of the exec(2) family of functions to execute a file (program), the user and/or group identifiers associated with
       the process can change. If the file executed is a set-user-ID file, the effective and saved user IDs of the process are set to the owner of
       the  file  executed.  If the file executed is a set-group-ID file, the effective and saved group IDs of the process are set to the group of
       the file executed. If the file executed is not a set-user-ID or set-group-ID file, the effective user ID, saved user  ID,  effective  group
       ID, and saved group ID are not changed.

       If  the	{PRIV_PROC_SETID}  privilege is asserted in the effective set of the process calling setuid(), the real, effective, and saved user
       IDs are set to the uid argument.  If the uid argument is 0 and none of the saved, effective or  real  UID  is  0,  additional  restrictions
       apply. See privileges(5).

       If  the	{PRIV_PROC_SETID}  privilege  is not asserted in the effective set, but uid is either the real user ID or the saved user ID of the
       calling process, the effective user ID is set to uid.

       If the {PRIV_PROC_SETID} privilege is asserted in the effective set of the process calling setgid(), the real, effective, and  saved  group
       IDs are set to the gid argument.

       If  the	{PRIV_PROC_SETID} privilege is not asserted in the effective set, but gid is either the real group ID or the saved group ID of the
       calling process, the effective group ID is set to gid.

RETURN VALUES

       Upon successful completion, 0 is returned. Otherwise, -1 is returned and errno is set to indicate the error.

ERRORS

       The setuid() and setgid() functions will fail if:

       EINVAL	 The value of uid or gid is out of range.

       EPERM	 For setuid() and seteuid(), the {PRIV_PROC_SETID} privilege is not asserted in the effective set of the calling process  and  the
		 uid  argument does not match either the real or saved user IDs, or an attempt is made to change to UID 0 and none of the existing
		 UIDs is 0, in which case additional privileges are required.

		 For setgid() and setegid(), the {PRIV_PROC_SETID} privilege is not asserted in the effective set and the gid  argument  does  not
		 match either the real or saved group IDs.

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Standard			   |
       +-----------------------------+-----------------------------+
       |MT-Level		     |Async-Signal-Safe 	   |
       +-----------------------------+-----------------------------+

SEE ALSO

       Intro(2), exec(2), getgroups(2), getuid(2), stat.h(3HEAD), attributes(5), privileges(5), standards(5)

SunOS 5.11							    20 Jan 2003 							 setuid(2)
All times are GMT -4. The time now is 01:23 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy