09-06-2011
Hi,
Ya I have enabled ALL flags in the audit.control file. The problem is that the username and password , which are given through an application, gets logged. Hence I thought that I could suppress logs from this particular binary. If not, what else can be done?
Thanks.
10 More Discussions You Might Find Interesting
1. Solaris
I'm looking for a software to capture my systems logs, and bsm (basic security module) logs to centralise the administration. Do you have a suggestions. Opensource or not. (6 Replies)
Discussion started by: simquest
6 Replies
2. Programming
I have a C program and want to write messages to a log. BSM is being used for O/S auditing. Can I write my messages to the BSM log? If so, how do I do that? I'm not finding any API's for that. Any URLs, samples, guidance would be appreciated. (0 Replies)
Discussion started by: JDO
0 Replies
3. UNIX for Dummies Questions & Answers
Hi Guys,
I am new to this forum so I am sorry if i posted this thread in the wrong place. I am currently trying to get BSM to work on solaris 10 by Logging few things for me. I need your help to complete this task please.
this is the config of the audit files:
audit_conto
# Copyright... (18 Replies)
Discussion started by: skywalker850i
18 Replies
4. Solaris
I got a lot of this message in my /var/audit log
how can I exclude this message?
header,127,2,invalid event number,fe,hostsol1.com.sg,2007-12-21 00:10:01.001 +08:00,argument,1,0x5,processor ID,argument
,2,0x3,flag,text,P_STATUS,subject,zhang1,root,root,root,root,18228,576129155,291 131094... (1 Reply)
Discussion started by: geoffry
1 Replies
5. Solaris
Let me preface with I am semi-new to Solaris. I work with it in the labs at work and that's about my extent (although I run Linux at home).
Well, a week ago security comes around with updated requirements, some of which are the need to audit all failures. For the life of me I cannot get a... (0 Replies)
Discussion started by: mph275
0 Replies
6. Cybersecurity
Hi,
I keep encountering events in the BSM/C2 logs which shows that the audit-user who performed the event is the user (e.g. ongkk in the example below). However, the user is able to show me that he wasn't logged in at that time nor have the rights to perform the event (e.g. su in this example).... (5 Replies)
Discussion started by: BERNIELEE68
5 Replies
7. Solaris
New to Solaris in general (coming from a RHEL background) I'm trying to enable auditing on the system with the following in /etc/security/audit_control:
But there are two areas where it seems to break with expected behavior (maybe it's poor expectations on my part):
1) it seems to be... (0 Replies)
Discussion started by: thmnetwork
0 Replies
8. Solaris
Solaris 9 system:
I'm trying to get BSM to record to the point where additional files being put into /etc/opt/csw/sudoers.d will be recorded but thus far all I'm able to get are when files are deleted (via unlink). I've even tried auditing based on the "all" audit flag temporarily (thinking I... (2 Replies)
Discussion started by: thmnetwork
2 Replies
9. Infrastructure Monitoring
Hi all,
management currently has the idea (maybe injected by some nifty salesman ;)), that BSM consists especially of data gathered from systems with heart-beat like messages. In other words, they think about to implement as many systems, that can provide not only status changes from ok to... (2 Replies)
Discussion started by: zaxxon
2 Replies
10. Solaris
Hi all,
I'm trying to read Solaris BSM log in user friendly form. Found old tools including bsmparser java tool and php code. But none of them working. What are you using for parsing BSM log? (2 Replies)
Discussion started by: sembii
2 Replies
LEARN ABOUT SUNOS
au_user_mask
au_user_mask(3BSM) au_user_mask(3BSM)
NAME
au_user_mask - get user's binary preselection mask
SYNOPSIS
cc [ flag... ] file... -lbsm -lsocket -lnsl [ library... ]
#include <bsm/libbsm.h>
int au_user_mask(char *username, au_mask_t *mask_p);
The au_user_mask() function reads the default, system wide audit classes from audit_control(4), combines them with the per-user audit
classes from the audit_user(4) database, and updates the binary preselection mask pointed to by mask_p with the combined value.
The audit flags in the flags field of the audit_control(4) database and the always-audit-flags and never-audit-flags from the audit_user(4)
database represent binary audit classes. These fields are combined by au_preselect(3BSM) as follows:
mask = ( flags + always-audit-flags) - never-audit-flags
The au_user_mask() function fails only if both the both the audit_control(4) and the audit_user(4) database entries could not be retrieved.
This allows for flexible configurations.
Upon successful completion, au_user_mask() returns 0. It fails and returns -1 if both the audit_control(4) and the audit_user(4) database
entries could not be retrieved.
/etc/security/audit_control file containing default parameters read by the audit daemon, auditd(1M)
/etc/security/audit_user file that stores per-user audit event mask
See attributes(5) for descriptions of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|Interface Stability |Stable |
+-----------------------------+-----------------------------+
|MT-Level |MT-Safe |
+-----------------------------+-----------------------------+
login(1), bsmconv(1M), getaudit(2), setaudit(2), au_preselect(3BSM), getacinfo(3BSM), getauusernam(3BSM), audit_control(4), audit_user(4),
attributes(5)
The au_user_mask() function should be called by programs like login(1) which set a process's preselection mask with setaudit(2). getau-
dit(2) should be used to obtain audit characteristics for the current process.
The functionality described on this manual page is available only if the Basic Security Module (BSM) has been enabled. See bsmconv(1M) for
more information.
31 Mar 2005 au_user_mask(3BSM)