Login or Register to Ask a Question and Join Our Community


UNIX for Dummies Questions & Answers

solaris BSM and Auditing

 
Thread Tools Search this Thread
Top Forums UNIX for Dummies Questions & Answers solaris BSM and Auditing
# 1  
Old 03-05-2007
Bug solaris BSM and Auditing
Hi Guys,

I am new to this forum so I am sorry if i posted this thread in the wrong place. I am currently trying to get BSM to work on solaris 10 by Logging few things for me. I need your help to complete this task please.

this is the config of the audit files:

audit_conto

# Copyright (c) 1988 by Sun Microsystems, Inc.
#
# ident "@(#)audit_control.txt 1.4 00/07/17 SMI"
#
dir:/var/audit
flags:lo,ad,cc
minfree:20
naflags:lo,ad,ex

audit class

#
# mask:name:description
#
0x00000000:no:invalid class
0x00000001:fr:file read
0x00000002:fw:file write
0x00000004:fa:file attribute access
0x00000008:fm:file attribute modify
0x00000010:fc:file create
0x00000020:fd:file delete
0x00000040:cl:file close
0x00000100:nt:network
0x00000200:ip:ipc
0x00000400:na:non-attribute
0x00001000:lo:login or logout
0x00004000:ap:application
0x00010000:ss:change system state
0x00020000:as:system-wide administration
0x00040000:ua:user administration
0x00070000:am:administrative (meta-class)
0x00080000:aa:audit utilization
0x000f0000:adSmilield administrative (meta-class)
0x00100000SmiliesSmilierocess start/stop
0x00200000SmiliemSmilierocess modify
0x00300000SmiliecSmilierocess (meta-class)
0x20000000:io:ioctl
0x40000000:ex:exec
0x80000000SmilietSmiliether
0xffffffff:all:all classes (meta-class)
0x08000000:cc:CIS custom class


I only need to audit what users execute. Is there an easy way to do it.

Thanks
# 2  
Old 03-06-2007
Quote:
Originally Posted by skywalker850i
I only need to audit what users execute. Is there an easy way to do it.
You want to add the ex class to the flags: in audit_control so it reads:
flags:lo,ad,cc,ex

Or as you have defined your own audit class (cc) you could add it to AUE_EXECVE in audit_event so it reads:
22:AUE_EXECVE:execve(2):ps,ex,cc

See this post for more information.
Last edited by auditd; 03-06-2007 at 10:28 AM..
# 3  
Old 03-06-2007
Bug audit user/root command
Thanks I will try that today. The only thing now is formatting the output via praudit/auditrace. I will have to work on creating a script that will do that for me.
# 4  
Old 03-06-2007
Bug sudo users
Hi,

I have managed to get rootsh to work. What I want it to do is to start logging users session as soon as they loging to the box. rootsh uses sudo root user and I don't have that setup here. what do you guys think?

I thought about using the .profile and adding a line like

/usr/local/bin/rootsh --user=$username --logdir=$logs

any idea?

thanks
# 5  
Old 03-06-2007
Quote:
Originally Posted by skywalker850i
I have managed to get rootsh to work. What I want it to do is to start logging users session as soon as they loging to the box. rootsh uses sudo root user and I don't have that setup here. what do you guys think?
IMO you get better logging with Solaris auditing than rootsh. If I know you audit my actions with rootsh I will just write a C program that does all my covert actions and you won't be able to see it - the only thing rootsh catches is that I downloaded a file which I then executed.

With Solaris auditing you can not hide your actions as the logging happens in the kernel (for system calls), so even if you run an unknown program I will be able to see what it was up to.

The only downside to Solaris auditing is that the output format is harder to read, but there will soon be a nice gui to view the audit trail in, where you easily can chose to view the commands executed by a user.
# 6  
Old 03-06-2007
Bug unix auditing
right, here is what i did then.

# Copyright (c) 1988 by Sun Microsystems, Inc.
#
# ident "@(#)audit_control.txt 1.4 00/07/17 SMI"
#
dir:/var/audit
flags:lo,ad,cc,ex
minfree:20
naflags:lo


# User Level Class Masks
#
# Developers: If you change this file you must also edit audit.h.
#
# "Meta-classes" can be created; these are supersets composed of multiple base
# classes, and thus will have more than 1 bit in its mask. See "ad", "all",
# "am", and "pc" below for examples.
#
# The "no" (invalid) class below is commonly (but not exclusively) used in
# audit_event for obsolete events.
#
#
# File Format:
#
# mask:name:description
#
0x00000000:no:invalid class
0x00000001:fr:file read
0x00000002:fw:file write
0x00000004:fa:file attribute access
0x00000008:fm:file attribute modify
0x00000010:fc:file create
0x00000020:fd:file delete
0x00000040:cl:file close
0x00000100:nt:network
0x00000200:ip:ipc
0x00000400:na:non-attribute
0x00001000:lo:login or logout
0x00004000:ap:application
0x00010000:ss:change system state
0x00020000:as:system-wide administration
0x00040000:ua:user administration
0x00070000:am:administrative (meta-class)
0x00080000:aa:audit utilization
0x000f0000:adSmilield administrative (meta-class)
0x00100000SmiliesSmilierocess start/stop
0x00200000SmiliemSmilierocess modify
0x00300000SmiliecSmilierocess (meta-class)
0x20000000:io:ioctl
0x40000000:ex:exec
0x80000000SmilietSmiliether
0xffffffff:all:all classes (meta-class)
0x08000000:cc:CIS custom class



23:AUE_EXECVE:execve(2)Smilies,ex,cc


Just like how you recommanded. ( I think) !!

Now, I cann't see things like (cd / or ls -ltr) command or i may need to look deep into the log files. In addation, the size of the logs is in Gigs, it looks like i am going to need to acquire more disk space soon!!

snap shot!!

subject,hassan,root,root,root,root,10312,554721698,14555 65559 172.16.1.202
return,success,0
header,168,2,memcntl(2),,beatrix.cyberslotz.co.uk,2007-03-06 13:56:42.298 +00:00
argument,1,0xff360000,base
argument,2,0x73d4,len
argument,3,0x4,cmd
argument,4,0x3,arg
argument,5,0x0,attr
argument,6,0x0,mask
subject,hassan,root,root,root,root,10312,554721698,14555 65559 172.16.1.202
return,success,0
header,114,2,munmap(2),,beatrix.cyberslotz.co.uk,2007-03-06 13:56:42.298 +00:00
argument,1,0xff344000,addr
argument,2,0x10000,len
subject,hassan,root,root,root,root,10312,554721698,14555 65559 172.16.1.202
return,success,0
header,168,2,memcntl(2),,beatrix.cyberslotz.co.uk,2007-03-06 13:56:42.298 +00:00
argument,1,0xff340000,base
argument,2,0x12b8,len
argument,3,0x4,cmd
argument,4,0x3,arg
argument,5,0x0,attr
argument,6,0x0,mask
subject,hassan,root,root,root,root,10312,554721698,14555 65559 172.16.1.202
return,success,0
header,114,2,munmap(2),,beatrix.cyberslotz.co.uk,2007-03-06 13:56:42.299 +00:00
argument,1,0xff2d4000,addr
argument,2,0x10000,len
subject,hassan,root,root,root,root,10312,554721698,14555 65559 172.16.1.202
return,success,0
header,168,2,memcntl(2),,beatrix.cyberslotz.co.uk,2007-03-06 13:56:42.299 +00:00
argument,1,0xff200000,base
argument,2,0x204d8,len
argument,3,0x4,cmd
argument,4,0x3,arg
argument,5,0x0,attr
argument,6,0x0,mask
subject,hassan,root,root,root,root,10312,554721698,14555 65559 172.16.1.202
return,success,0
header,114,2,munmap(2),,beatrix.cyberslotz.co.uk,2007-03-06 13:56:42.300 +00:00
argument,1,0xff31c000,addr
argument,2,0x10000,len
subject,hassan,root,root,root,root,10312,554721698,14555 65559 172.16.1.202
return,success,0
header,168,2,memcntl(2),,beatrix.cyberslotz.co.uk,2007-03-06 13:56:42.300 +00:00
argument,1,0xff310000,base
argument,2,0x3588,len
argument,3,0x4,cmd
argument,4,0x3,arg
argument,5,0x0,attr
argument,6,0x0,mask
subject,hassan,root,root,root,root,10312,554721698,14555 65559 172.16.1.202
return,success,0
header,114,2,munmap(2),,beatrix.cyberslotz.co.uk,2007-03-06 13:56:42.301 +00:00
argument,1,0xff192000,addr
argument,2,0x10000,len
subject,hassan,root,root,root,root,10312,554721698,14555 65559 172.16.1.202
return,success,0
header,168,2,memcntl(2),,beatrix.cyberslotz.co.uk,2007-03-06 13:56:42.301 +00:00
argument,1,0xff100000,base
argument,2,0x15b74,len
argument,3,0x4,cmd
argument,4,0x3,arg
argument,5,0x0,attr
argument,6,0x0,mask
subject,hassan,root,root,root,root,10312,554721698,14555 65559 172.16.1.202
return,success,0
header,114,2,munmap(2),,beatrix.cyberslotz.co.uk,2007-03-06 13:56:42.301 +00:00
argument,1,0xff1e2000,addr
argument,2,0x10000,len
subject,hassan,root,root,root,root,10312,554721698,14555 65559 172.16.1.202
return,success,0
file,2007-03-06 13:56:42.310 +00:00,



the idea behind this auditing thing is, to have all commands logged now, i didn't think the output is going to be like that. Now, if i get a request from management to produce the command set for one the users is going to be a nightmare to have something that will explaine to them what that users did in a nice layout.

any idea when the gui will be downloadable.
thanks
# 7  
Old 03-06-2007
Quote:
Originally Posted by skywalker850i
dir:/var/audit
flags:lo,ad,cc,ex
minfree:20
naflags:lo

23:AUE_EXECVE:execve(2):ps,ex,cc
Since you added cc which contains AUE_EXECVE you don't need ex.

What other events have you tagged with cc?
Quote:
Now, I cann't see things like (cd / or ls -ltr) command or i may need to look deep into the log files. In addation, the size of the logs is in Gigs, it looks like i am going to need to acquire more disk space soon!!
It is strange that you see events from the ot and cl classes, as you don't have those in audit_control. What does audit_user look like?

Could you run auditconfig -getpinfo pid where pid is the shell where you want to see the exec(s)'s?

To pick out the exec(2)'s you should run:
auditreduce -m AUE_EXECVE /path/to/audit-trail | praudit

Quote:
the idea behind this auditing thing is, to have all commands logged now, i didn't think the output is going to be like that. Now, if i get a request from management to produce the command set for one the users is going to be a nightmare to have something that will explaine to them what that users did in a nice layout.
If you want to work with just one user, you can use the -u aid option to auditreduce in conjunction with the example above. That way you'll just get the exec(2)'s belonging to that user.

Quote:
any idea when the gui will be downloadable
The beta will be out in about one to two months. It is more or less ready now, we there is a lot of polishing to do...
 
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Solaris

Exclude an specific directory for auditing in Solaris 10

Hello, Im glad to become a member of this forums, Im new on solaris and recentrly im introducing to use auditing service in that system. The need is, that I need how to exclude a directory to the audit service not audit it. And, a plus, I need of how to disable auditing the root user in... (0 Replies)
Discussion started by: sysh4ck
0 Replies

2. Solaris

How can I read Solaris BSM log?

Hi all, I'm trying to read Solaris BSM log in user friendly form. Found old tools including bsmparser java tool and php code. But none of them working. What are you using for parsing BSM log? (2 Replies)
Discussion started by: sembii
2 Replies

3. Solaris

Needs some orientation on BSM/auditing

New to Solaris in general (coming from a RHEL background) I'm trying to enable auditing on the system with the following in /etc/security/audit_control: But there are two areas where it seems to break with expected behavior (maybe it's poor expectations on my part): 1) it seems to be... (0 Replies)
Discussion started by: thmnetwork
0 Replies

4. Solaris

BSM auditing

Hi , I don't want logs from a particular "library" to get recorded in the audit.log file. Is that possible with BSM? Please guide. Thanks. (2 Replies)
Discussion started by: chinchao
2 Replies

5. Solaris

BSM auditing issues, need to audit "permission denied"

Let me preface with I am semi-new to Solaris. I work with it in the labs at work and that's about my extent (although I run Linux at home). Well, a week ago security comes around with updated requirements, some of which are the need to audit all failures. For the life of me I cannot get a... (0 Replies)
Discussion started by: mph275
0 Replies

6. Solaris

Solaris user auditing

Hello, I was wondering when Solaris auditing is enabled, If it is possible to keep track of users that are allowed to sudo to root. In other words, I would like to know which user did what on my Solaris box. (assumig that user can "sudo su -" ) Thanks. (2 Replies)
Discussion started by: niyazi
2 Replies

7. Solaris

Solaris 9 Auditing

How do I setup audit to alert on write conditions for individual files? Thanks. (3 Replies)
Discussion started by: dxs
3 Replies

8. Solaris

Solaris BSM audit log

I got a lot of this message in my /var/audit log how can I exclude this message? header,127,2,invalid event number,fe,hostsol1.com.sg,2007-12-21 00:10:01.001 +08:00,argument,1,0x5,processor ID,argument ,2,0x3,flag,text,P_STATUS,subject,zhang1,root,root,root,root,18228,576129155,291 131094... (1 Reply)
Discussion started by: geoffry
1 Replies

9. Programming

how to write to Solaris BSM log

I have a C program and want to write messages to a log. BSM is being used for O/S auditing. Can I write my messages to the BSM log? If so, how do I do that? I'm not finding any API's for that. Any URLs, samples, guidance would be appreciated. (0 Replies)
Discussion started by: JDO
0 Replies

10. Solaris

Solaris BSM log software

I'm looking for a software to capture my systems logs, and bsm (basic security module) logs to centralise the administration. Do you have a suggestions. Opensource or not. (6 Replies)
Discussion started by: simquest
6 Replies
Login or Register to Ask a Question