Search Results

Search: Posts Made By: auditd
Forum: Solaris 05-12-2008
6,769
Posted By auditd
Unfortunately you can not audit individual files,...
Unfortunately you can not audit individual files, it is all or nothing. The only way to filter it is to do it per user, using the audit_user file.

We have a short description here...
1,710
Posted By auditd
Depending on your OS there are multiple choices;...
Depending on your OS there are multiple choices; if you have DTrace at your disposal, you can create a script which prints out all getenv() and setenv().
Forum: Solaris 03-02-2008
6,530
Posted By auditd
To see if auditng is enabled you run: ...
To see if auditng is enabled you run:
root@x2200# auditconfig -getcond
audit condition = auditing

Note that just because it is enabled doesn't mean that it is generating any audit records, it...
Forum: Solaris 03-02-2008
10,613
Posted By auditd
If you want to exclude a specific audit event...
If you want to exclude a specific audit event from the audit trail you have two choises:
- don't audit the class which the event belongs to
- edit /etc/security/audit_event and remove the event...
17,668
Posted By auditd
How long is a piece of string? :) The...
How long is a piece of string? :)

The problem is that it depends on a lot of things, like:

number of active and audited users
user activity (running lots of commands)
policy settings (such...
6,582
Posted By auditd
To audit file (and directory) creation deletion...
To audit file (and directory) creation deletion and modification, you should add the following flags to the flags: line in audit_control so it reads:
flags: lo,fm,fc,fd

If you have an admin user...
17,668
Posted By auditd
You need to use the +argv audit policy to see the...
You need to use the +argv audit policy to see the arguments to exec(2).

Run:
auditconfig -setpolicy +argv

and then add the following line to /etc/security/audit_startup (for it to persist...
Forum: Solaris 03-09-2007
21,658
Posted By auditd
You should not change the default file...
You should not change the default file permissions and/or group of Solaris binaries, instead you should use RBAC (http://auditanalyzer.com/auditing/solaris/rbac/) and turn non-personal accounts into...
Forum: Solaris 03-07-2007
11,183
Posted By auditd
Yes, this functionality is provided in Solaris...
Yes, this functionality is provided in Solaris auditing. You can check out this page (http://auditanalyzer.com/auditing/solaris/) on how to enable and configure it, and this...
Forum: Solaris 03-07-2007
9,381
Posted By auditd
script is not a suitable auditing mechanism, you...
script is not a suitable auditing mechanism, you should use Solaris auditing instead. If you want to audit shell activity take a look at this page...
6,582
Posted By auditd
It can audit all activities on Mac OS X, you just...
It can audit all activities on Mac OS X, you just need to tell it what to audit. E.g. file deletion (http://auditanalyzer.com/auditing/useful-tips/file-deletion/) corresponds to the fd class.

If...
5,371
Posted By auditd
As ghostdog74 said, you should enable Solaris...
As ghostdog74 said, you should enable Solaris auditing (formerly known as BSM). The audit class you want to assign is fd, which stands for file deletions.

It will generate an audit trail for all...
17,668
Posted By auditd
This tells you that all events generated by this...
This tells you that all events generated by this process will end up in the audit trail.


You need to replace /path/to/audit-trail with the actual path of the audit trail, e.g....
17,668
Posted By auditd
Since you added cc which contains AUE_EXECVE you...
Since you added cc which contains AUE_EXECVE you don't need ex.

What other events have you tagged with cc?

It is strange that you see events from the ot and cl classes, as you don't have those...
17,668
Posted By auditd
IMO you get better logging with Solaris auditing...
IMO you get better logging with Solaris auditing than rootsh. If I know you audit my actions with rootsh I will just write a C program that does all my covert actions and you won't be able to see it...
17,668
Posted By auditd
You want to add the ex class to the flags: in...
You want to add the ex class to the flags: in audit_control so it reads:
flags:lo,ad,cc,ex

Or as you have defined your own audit class (cc) you could add it to AUE_EXECVE in audit_event so it...
Forum: Solaris 02-25-2007
11,138
Posted By auditd
If there is enough interest we might backport it...
If there is enough interest we might backport it to Solaris 9, but there are sooo many other things we have to finish before we can look into that...
Forum: Solaris 02-24-2007
11,138
Posted By auditd
No, the audit_syslog plugin only works for...
No, the audit_syslog plugin only works for Solaris 10. If you feel adventurous you could try to backport auditd to Solaris 9.

And as far as I know, there is no 3rd part application to do this...
3,338
Posted By auditd
You can get this information by enabling auditing...
You can get this information by enabling auditing (http://auditanalyzer.com/auditing/solaris/) and configuring the system to use the fm flag. It will give you information about who modified the file,...
Forum: Solaris 02-22-2007
11,138
Posted By auditd
If you are using Solaris 10 you can use the...
If you are using Solaris 10 you can use the audit_syslog(5) plugin to forward your audit events to syslog, and then you can send them to your regular syslog server.

For more information, see...
Forum: Solaris 02-22-2007
7,396
Posted By auditd
I think you need to be a bit more specific about...
I think you need to be a bit more specific about what you mean with "everything". What kind of auditing do you want? Executed commands, files changed, files deleted, incoming network connections,...
Forum: Solaris 02-22-2007
4,918
Posted By auditd
To just get it running, you need to invoke the...
To just get it running, you need to invoke the command /etc/security/bsmconv, but you also need to configure which events that will end up in the audit trail.

For more information, see...
Showing results 1 to 22 of 22

 
All times are GMT -4. The time now is 09:17 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy