01-17-2017
How about using builtin audit software from your operating system.
Audit configuration can look scary at first, but it's mostly a one time setup per requirement.
Writing custom scripts will only make things difficult in the future.
Not to mention bypassing such scripts could be trivial, beating the audit purpose completely.
Hope that helps
Regards
Peasant.
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
hi....
how i can configurator a log file on real time....on unix solaris....
thanks a lot....
Best Regards... (3 Replies)
Discussion started by: chanfle
3 Replies
2. Shell Programming and Scripting
Hi all,
i would like to write the shell script program, it can monitor the access_log "real time"
when the access_log writing the line contain "abcdef" the program will be "COPY" this line into a file named "abcdef.txt", do the same thing if the contain "123456" "COPY" it into a file named... (3 Replies)
Discussion started by: eric_wong_ch
3 Replies
3. UNIX for Dummies Questions & Answers
I'm using RHEL and my var/log/messages file is filled with "FTP session opened/closed" lines that happen all day:
Aug 2 04:04:38 web proftpd: 74.125.56.10 (142.231.76.249) - FTP session closed.
Aug 2 04:05:11 web proftpd: 74.125.56.10 (142.231.88.123) - FTP session opened.Is this normal? We... (2 Replies)
Discussion started by: gaspol
2 Replies
4. Solaris
hi sirs
can u tell the difference between /var/log/syslogs and /var/adm/messages
in my working place i am having two servers.
in one servers messages file is empty and syslog file is going on increasing..
and in another servers message file is going on increasing but syslog file is... (2 Replies)
Discussion started by: tv.praveenkumar
2 Replies
5. Solaris
Hi,
Is the contents in /var/log/syslog and /var/adm/messages are same??
Regards (3 Replies)
Discussion started by: vks47
3 Replies
6. Shell Programming and Scripting
How can view log messages between two time frame from /var/log/message or any type of log files.
when logfiles are very big and especially many messages with in few minutes, I would like to display log messages between 5 minute interval.
Could you pls give me the command? (1 Reply)
Discussion started by: johnveslin
1 Replies
7. UNIX for Dummies Questions & Answers
So I want the DBA to access /var/log/messages and so I logged in as root and then edited the sudoers file as follows
"oracle ALL= (root) /bin/view, /var/log/messages"
However when I login as oracle and try
"sudo more /var/log/messages" I get
Sorry, user oracle is not allowed to... (1 Reply)
Discussion started by: gubbu
1 Replies
8. Shell Programming and Scripting
Hi people
I have a bash script with a line like this:
python example.py >> log &
But i can't see anything in the log file while python program is running only if the program ends seems to write the log file.
"$ cat log" for example don't show anything until the program ends.
Is there... (4 Replies)
Discussion started by: Tieso
4 Replies
9. SuSE
Hi
New to Suse - mainly used Solaris.
In solaris dmesg will also show you contents of messages log file but in Suse Liux it doesnt appear to.
I dont have root access to this Suse server, and wondering is there any other tool / utility that allows me to see the messages file contents like on... (1 Reply)
Discussion started by: frustrated1
1 Replies
10. Shell Programming and Scripting
I have been searching and reading about syslog. I would like to know how to Transfer the logs being thrown into /var/log/messages into another file example /var/log/volumelog.
tail -f /var/log/messages
dblogger: msg_to_dbrow: no logtype using missing
dblogger: msg_to_dbrow_str: val ==... (2 Replies)
Discussion started by: kenshinhimura
2 Replies
AUDIT(4) BSD Kernel Interfaces Manual AUDIT(4)
NAME
audit -- Security Event Audit
SYNOPSIS
options AUDIT
DESCRIPTION
Security Event Audit is a facility to provide fine-grained, configurable logging of security-relevant events, and is intended to meet the
requirements of the Common Criteria (CC) Common Access Protection Profile (CAPP) evaluation. The FreeBSD audit facility implements the de
facto industry standard BSM API, file formats, and command line interface, first found in the Solaris operating system. Information on the
user space implementation can be found in libbsm(3).
Audit support is enabled at boot, if present in the kernel, using an rc.conf(5) flag. The audit daemon, auditd(8), is responsible for con-
figuring the kernel to perform audit, pushing configuration data from the various audit configuration files into the kernel.
Audit Special Device
The kernel audit facility provides a special device, /dev/audit, which is used by auditd(8) to monitor for audit events, such as requests to
cycle the log, low disk space conditions, and requests to terminate auditing. This device is not intended for use by applications.
Audit Pipe Special Devices
Audit pipe special devices, discussed in auditpipe(4), provide a configurable live tracking mechanism to allow applications to tee the audit
trail, as well as to configure custom preselection parameters to track users and events in a fine-grained manner.
SEE ALSO
auditreduce(1), praudit(1), audit(2), auditctl(2), auditon(2), getaudit(2), getauid(2), poll(2), select(2), setaudit(2), setauid(2),
libbsm(3), auditpipe(4), audit_class(5), audit_control(5), audit_event(5), audit.log(5), audit_user(5), audit_warn(5), rc.conf(5), audit(8),
auditd(8)
HISTORY
The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in
2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution.
Support for kernel audit first appeared in FreeBSD 6.2.
AUTHORS
This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. Addi-
tional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems.
This manual page was written by Robert Watson <rwatson@FreeBSD.org>.
BUGS
The FreeBSD kernel does not fully validate that audit records submitted by user applications are syntactically valid BSM; as submission of
records is limited to privileged processes, this is not a critical bug.
Instrumentation of auditable events in the kernel is not complete, as some system calls do not generate audit records, or generate audit
records with incomplete argument information.
Mandatory Access Control (MAC) labels, as provided by the mac(4) facility, are not audited as part of records involving MAC decisions.
BSD
May 31, 2009 BSD