Login or Register to Ask a Question and Join Our Community


Solaris

Needs some orientation on BSM/auditing

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Solaris Needs some orientation on BSM/auditing
# 1  
Old 02-29-2012
Needs some orientation on BSM/auditing
New to Solaris in general (coming from a RHEL background) I'm trying to enable auditing on the system with the following in /etc/security/audit_control:


Quote:
#
# Copyright (c) 1988 by Sun Microsystems, Inc.
#
#ident @(#)audit_control.txt 1.3 97/06/20 SMI
#
dir:/var/audit
flags:-lo,-fr
minfree:20
naflags:-lo
But there are two areas where it seems to break with expected behavior (maybe it's poor expectations on my part):

1) it seems to be logging both successful and unsuccessful login/out attempts but I'm trying to filter for just the unsuccessful ones.

2) I can see many "file read" errors but when I try to create one from the command line (with "cat /etc/doesntExist" or "cat < /etc/doesntExist") it doesn't seem to record that attempt to the audit logs under /var/audit.

I'm using praudit to view the audit logs and every time I change the audit_control file I run "audit -s" and have even restarted the audit service to no avail. Basically: the audit logs don't appear to have the information I'm expecting them to have.

Platform in case that's relevant:

Quote:
# uname -a
SunOS web 5.8 Generic_117350-46 sun4u sparc SUNW,Ultra-250
here is the latest praudit output:

Quote:
praudit -l 20120228214514.not_terminated.web | more
file,Tue Feb 28 16:45:14 2012, + 492703 msec,/var/audit/20120228214012.20120228214514.web
header,86,2,su,,Tue Feb 28 16:50:01 2012, + 670001932 msec,subject,root,root,staff,ncatweb,staff,10417,449,0 0 web,t
ext,success for user root,return,success,0
header,96,2,open(2) - read,,Tue Feb 28 16:50:01 2012, + 690004976 msec,path,/var/ld/ld.config,subject,root,root,othe
r,root,other,10485,449,0 0 web,return,failure: No such file or directory,-1
header,96,2,open(2) - read,,Tue Feb 28 16:50:01 2012, + 690004976 msec,path,/var/ld/ld.config,subject,root,root,othe
r,root,other,10486,449,0 0 web,return,failure: No such file or directory,-1
header,96,2,open(2) - read,,Tue Feb 28 16:50:01 2012, + 690004976 msec,path,/var/ld/ld.config,subject,root,root,othe
r,root,other,10484,449,0 0 web,return,failure: No such file or directory,-1
header,96,2,open(2) - read,,Tue Feb 28 16:50:01 2012, + 700004093 msec,path,/var/ld/ld.config,subject,root,root,othe
r,root,other,10488,449,0 0 web,return,failure: No such file or directory,-1
header,96,2,open(2) - read,,Tue Feb 28 16:50:01 2012, + 700004093 msec,path,/var/ld/ld.config,subject,root,root,othe
r,root,other,10489,449,0 0 web,return,failure: No such file or directory,-1
header,96,2,open(2) - read,,Tue Feb 28 16:50:01 2012, + 710002940 msec,path,/var/ld/ld.config,subject,root,root,othe
r,root,other,10487,449,0 0 web,return,failure: No such file or directory,-1
header,96,2,open(2) - read,,Tue Feb 28 16:50:01 2012, + 720001087 msec,path,/var/ld/ld.config,subject,root,root,othe
r,root,other,10490,449,0 0 web,return,failure: No such file or directory,-1
header,87,2,open(2) - read,,Tue Feb 28 16:50:01 2012, + 730004104 msec,path,/quotas,subject,root,root,other,root,oth
er,10490,449,0 0 web,return,failure: No such file or directory,-1
header,90,2,open(2) - read,,Tue Feb 28 16:50:01 2012, + 730004104 msec,path,/usr/quotas,subject,root,root,other,root
,other,10490,449,0 0 web,return,failure: No such file or directory,-1
header,90,2,open(2) - read,,Tue Feb 28 16:50:01 2012, + 730004104 msec,path,/var/quotas,subject,root,root,other,root
,other,10490,449,0 0 web,return,failure: No such file or directory,-1
header,90,2,open(2) - read,,Tue Feb 28 16:50:01 2012, + 730004104 msec,path,/opt/quotas,subject,root,root,other,root
,other,10490,449,0 0 web,return,failure: No such file or directory,-1
header,98,2,open(2) - read,,Tue Feb 28 16:50:01 2012, + 730004104 msec,path,/export/home/quotas,subject,root,root,other,root,other,10490,449,0 0 web,return,failure: No such file or directory,-1
header,98,2,open(2) - read,,Tue Feb 28 16:50:01 2012, + 730004104 msec,path,/usr/openwin/quotas,subject,root,root,ot
her,root,other,10490,449,0 0 web,return,failure: No such file or directory,-1
header,96,2,open(2) - read,,Tue Feb 28 16:50:01 2012, + 730004104 msec,path,/var/ld/ld.config,subject,root,root,othe
r,root,other,10491,449,0 0 web,return,failure: No such file or directory,-1
header,96,2,open(2) - read,,Tue Feb 28 16:50:01 2012, + 740002021 msec,path,/var/ld/ld.config,subject,root,root,mail
,root,other,10492,449,0 0 web,return,failure: No such file or directory,-1
header,96,2,open(2) - read,,Tue Feb 28 16:50:01 2012, + 760001600 msec,path,/var/ld/ld.config,subject,root,root,othe
r,root,other,10493,449,0 0 web,return,failure: No such file or directory,-1
header,96,2,open(2) - read,,Tue Feb 28 16:50:01 2012, + 770001632 msec,path,/var/ld/ld.config,subject,root,root,othe
r,root,other,10495,449,0 0 web,return,failure: No such file or directory,-1
header,96,2,open(2) - read,,Tue Feb 28 16:50:01 2012, + 780002169 msec,path,/var/ld/ld.config,subject,root,root,othe
r,root,other,10497,449,0 0 web,return,failure: No such file or directory,-1
header,96,2,open(2) - read,,Tue Feb 28 16:50:01 2012, + 780002169 msec,path,/var/ld/ld.config,subject,root,root,othe
r,root,other,10498,449,0 0 web,return,failure: No such file or directory,-1
header,89,2,open(2) - read,,Tue Feb 28 16:50:01 2012, + 790002666 msec,path,/.profile,subject,root,root,other,root,o
ther,10417,449,0 0 web,return,failure: No such file or directory,-1
header,96,2,open(2) - read,,Tue Feb 28 16:50:17 2012, + 789999549 msec,path,/var/ld/ld.config,subject,root,root,othe
r,root,other,10504,449,0 0 web,return,failure: No such file or directory,-1
header,96,2,open(2) - read,,Tue Feb 28 16:50:45 2012, + 400000602 msec,path,/var/ld/ld.config,subject,root,root,othe
r,root,other,10505,449,0 0 web,return,failure: No such file or directory,-1
---------- Post updated 02-29-12 at 03:32 PM ---------- Previous update was 02-28-12 at 09:27 PM ----------

I also just enable auditing on "as" and "ss", executed an "audit -s", then reset the password on a test user account but nothing appeared in the latest audit log.
Login or Register to Ask a Question

Previous Thread | Next Thread

8 More Discussions You Might Find Interesting

1. Solaris

BSM not catching creat64

Solaris 9 system: I'm trying to get BSM to record to the point where additional files being put into /etc/opt/csw/sudoers.d will be recorded but thus far all I'm able to get are when files are deleted (via unlink). I've even tried auditing based on the "all" audit flag temporarily (thinking I... (2 Replies)
Discussion started by: thmnetwork
2 Replies

2. Solaris

BSM auditing

Hi , I don't want logs from a particular "library" to get recorded in the audit.log file. Is that possible with BSM? Please guide. Thanks. (2 Replies)
Discussion started by: chinchao
2 Replies

3. Solaris

BSM auditing issues, need to audit "permission denied"

Let me preface with I am semi-new to Solaris. I work with it in the labs at work and that's about my extent (although I run Linux at home). Well, a week ago security comes around with updated requirements, some of which are the need to audit all failures. For the life of me I cannot get a... (0 Replies)
Discussion started by: mph275
0 Replies

4. Solaris

Solaris BSM audit log

I got a lot of this message in my /var/audit log how can I exclude this message? header,127,2,invalid event number,fe,hostsol1.com.sg,2007-12-21 00:10:01.001 +08:00,argument,1,0x5,processor ID,argument ,2,0x3,flag,text,P_STATUS,subject,zhang1,root,root,root,root,18228,576129155,291 131094... (1 Reply)
Discussion started by: geoffry
1 Replies

5. UNIX for Dummies Questions & Answers

solaris BSM and Auditing

Hi Guys, I am new to this forum so I am sorry if i posted this thread in the wrong place. I am currently trying to get BSM to work on solaris 10 by Logging few things for me. I need your help to complete this task please. this is the config of the audit files: audit_conto # Copyright... (18 Replies)
Discussion started by: skywalker850i
18 Replies

6. Programming

how to write to Solaris BSM log

I have a C program and want to write messages to a log. BSM is being used for O/S auditing. Can I write my messages to the BSM log? If so, how do I do that? I'm not finding any API's for that. Any URLs, samples, guidance would be appreciated. (0 Replies)
Discussion started by: JDO
0 Replies

7. Solaris

Solaris BSM log software

I'm looking for a software to capture my systems logs, and bsm (basic security module) logs to centralise the administration. Do you have a suggestions. Opensource or not. (6 Replies)
Discussion started by: simquest
6 Replies

8. AIX

Modify Print Orientation, Font and Pitch

I need to be able to change the font, pitch, and orientation when printing a text flat file. Any suggestions appreciated. (2 Replies)
Discussion started by: mad_dog
2 Replies
Login or Register to Ask a Question