Search Results

Unfortunately you can not audit individual files, it is all or nothing. The only way to filter it is to do it per user, using the audit_user file.

We have a short description here...

Depending on your OS there are multiple choices; if you have DTrace at your disposal, you can create a script which prints out all getenv() and setenv().

To see if auditng is enabled you run:
root@x2200# auditconfig -getcond
audit condition = auditing

Note that just because it is enabled doesn't mean that it is generating any audit records, it...

If you want to exclude a specific audit event from the audit trail you have two choises:
- don't audit the class which the event belongs to
- edit /etc/security/audit_event and remove the event...

How long is a piece of string? :)

The problem is that it depends on a lot of things, like:

number of active and audited users
user activity (running lots of commands)
policy settings (such...

To audit file (and directory) creation deletion and modification, you should add the following flags to the flags: line in audit_control so it reads:
flags: lo,fm,fc,fd

If you have an admin user...

You need to use the +argv audit policy to see the arguments to exec(2).

Run:
auditconfig -setpolicy +argv

and then add the following line to /etc/security/audit_startup (for it to persist...

You should not change the default file permissions and/or group of Solaris binaries, instead you should use RBAC (http://auditanalyzer.com/auditing/solaris/rbac/) and turn non-personal accounts into...

Yes, this functionality is provided in Solaris auditing. You can check out this page (http://auditanalyzer.com/auditing/solaris/) on how to enable and configure it, and this...

script is not a suitable auditing mechanism, you should use Solaris auditing instead. If you want to audit shell activity take a look at this page...

It can audit all activities on Mac OS X, you just need to tell it what to audit. E.g. file deletion (http://auditanalyzer.com/auditing/useful-tips/file-deletion/) corresponds to the fd class.

If...

As ghostdog74 said, you should enable Solaris auditing (formerly known as BSM). The audit class you want to assign is fd, which stands for file deletions.

It will generate an audit trail for all...

This tells you that all events generated by this process will end up in the audit trail.


You need to replace /path/to/audit-trail with the actual path of the audit trail, e.g....

Since you added cc which contains AUE_EXECVE you don't need ex.

What other events have you tagged with cc?

It is strange that you see events from the ot and cl classes, as you don't have those...

IMO you get better logging with Solaris auditing than rootsh. If I know you audit my actions with rootsh I will just write a C program that does all my covert actions and you won't be able to see it...

You want to add the ex class to the flags: in audit_control so it reads:
flags:lo,ad,cc,ex

Or as you have defined your own audit class (cc) you could add it to AUE_EXECVE in audit_event so it...

If there is enough interest we might backport it to Solaris 9, but there are sooo many other things we have to finish before we can look into that...

No, the audit_syslog plugin only works for Solaris 10. If you feel adventurous you could try to backport auditd to Solaris 9.

And as far as I know, there is no 3rd part application to do this...

You can get this information by enabling auditing (http://auditanalyzer.com/auditing/solaris/) and configuring the system to use the fm flag. It will give you information about who modified the file,...

If you are using Solaris 10 you can use the audit_syslog(5) plugin to forward your audit events to syslog, and then you can send them to your regular syslog server.

For more information, see...

I think you need to be a bit more specific about what you mean with "everything". What kind of auditing do you want? Executed commands, files changed, files deleted, incoming network connections,...

To just get it running, you need to invoke the command /etc/security/bsmconv, but you also need to configure which events that will end up in the audit trail.

For more information, see...