Please close this case. I realised that on RHEL and SLES systems, setting logrotate for audit isn't secure, chances are that it might not work. So this is what I did
1. Set the logrotate entry for audit.log anyways; my logs is set for 24 weeks before removed, and rotated weekly
2. Edit the conf file anyways, make a backup copy of existing conf file:
I am new to the world of Unix. As part of my understanding to have a big picture of Unix, I need to understand:
1. How to review the existing unix system or audit for the settings?
2. How do I go about fixing the holes? (4 Replies)
Folks
I am on a quest....
I am looking for a lightweight FTP client capable of FTPS and or SFTP that has good audit and logging capabilities without requiring a central server component. My platforms are Linux, Solaris, AIX, and Windows Server.
The kicker is I have found things that meet the... (3 Replies)
How do i find if audit logs is secured inside Solaris 10?
· Verify that that audit log files are secured and owned appropriately.
this is the question (1 Reply)
Dear All
When I start the AIX(6100-06)audit subsystem.
the log will save in /audit/stream.out (or /audit/trail), but in default when /audit/stream.out to grow up to 150MB.
It will replace the original /audit/stream.out (or /audit/trail).
Then the /audit/stream.out become empty and... (2 Replies)
Does anyone know if there is software written to view the audit logs generated by Solaris? I am referring the the logs created by auditd. It produces an unreadable log. I am familiar with auditreduce and praudit, but I am looking for something that produces a report, much like logwatch looks at the... (4 Replies)
Hello all,
I've configured 'audit' service to send the audit logs to a remote log server (by using syslog plugin), which is working fine.
However, there is a problem. audit service also tries to write same information (but in binary format) in /var/audit path.
So, Is there anyway to stop... (2 Replies)
Hello All,
I'm using a RHEL6.4 on IBM X3850 X5 server. I want to get a comprehensive report containing disk-wise health status as well as overall server status.
I see there's utility "ibm_utl_dsa_dsytd3h-9.51_portable_rhel6_x86-64.bin" which is also used to do diagnostics tasks. I'm not sure of... (1 Reply)
HI Community,
how can i configure audit logs for global zones and standard zone. i have enabled and started auditd service and it went to maintenance mode. please help me to configure that
Thanks & Regards,
BEn (9 Replies)
MyLOG:
2017/11/12 17:01:54.600 : Error: LPID: 3104680848 WRONG CRITERIA FOUND. tRealBuilder::Generate
Output Required:
If Ke word "WRONG CRITERIA FOUND" in latest log ( logs are regularly generating - real time) mail to us
once mailed wait for 2 hours for second mail.
mail subject... (3 Replies)
Hi guys.
I have to set audit logs on certain events on a solaris 10 server.
While I had no problems on linux, I'm going crazy to do the same thing on solaris 10, since I don't have enough expertise on this OS .
I should be able to identify these 4 different events:
1: Tracking all... (2 Replies)
Discussion started by: menofmayhem
2 Replies
LEARN ABOUT OPENSOLARIS
audit_user
audit_user(4) File Formats audit_user(4)NAME
audit_user - per-user auditing data file
SYNOPSIS
/etc/security/audit_user
DESCRIPTION
audit_user is a database that stores per-user auditing preselection data. You can use the audit_user file with other authorization sources,
including the NIS map audit_user.byname and the NIS+ table audit_user. Programs use the getauusernam(3BSM) routines to access this informa-
tion.
The search order for multiple user audit information sources is specified in the /etc/nsswitch.conf file. See nsswitch.conf(4). The lookup
follows the search order for passwd(4).
The fields for each user entry are separated by colons (:). Each user is separated from the next by a newline. audit_user does not have
general read permission. Each entry in the audit_user file has the form:
username:always-audit-flags:never-audit-flags
The fields are defined as follows:
username User's login name.
always-audit-flags Flags specifying event classes to always audit.
never-audit-flags Flags specifying event classes to never audit.
For a complete description of the audit flags and how to combine them, see audit_control(4).
EXAMPLES
Example 1 Using the audit_user File
other:lo,am:io,cl
fred:lo,ex,+fc,-fr,-fa:io,cl
ethyl:lo,ex,nt:io,cl
FILES
/etc/nsswitch.conf
/etc/passwd
/etc/security/audit_user
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|Interface Stability | See below. |
+-----------------------------+-----------------------------+
The file format stability is Committed. The file content is Uncommitted.
SEE ALSO bsmconv(1M), getauusernam(3BSM), audit_control(4), nsswitch.conf(4), passwd(4)
Part VII, Solaris Auditing, in System Administration Guide: Security Services
NOTES
This functionality is available only if the Basic Security Module (BSM) has been enabled. See bsmconv(1M) for more information.
Configuration changes do not affect audit sessions that are currently running, as the changes do not modify a process's preselection mask.
To change the preselection mask on a running process, use the -setpmask option of the auditconfig command (see auditconfig(1M)). If the
user logs out and logs back in, the new configuration changes will be reflected in the next audit session.
SunOS 5.11 26 Jun 2008 audit_user(4)