BSM, Solaris 8 and auditing changes to /etc/shadow

BSM, Solaris 8 and auditing changes to /etc/shadow

Post by i.. » Mon, 27 Jan 2003 04:46:16



Platforms:  sun4u, sun4m
OS: Solaris 8 [Solaris 7 and Solaris 9 would be help as well]

I have a requirement to check for user password updates (not the
actual passwords, just that a user updated their password).  All
users on these systems have password expiration configured.  Now,
users login via the console (non-graphical) and fire up their
X server of choice.  I ran into an anomily where if a users passwd
expires and the user if forced to set a new password at login time
(on the console) I cannot see the sucessfull password update in
the audit trail.  I then though I might be able to track changes
to file /etc/shadow, but here again I've run into some strange
behaviour...  On sun4u platforms I might be able to track
unlink(2) and link(2), but I was not able to see these on sun4m
machines (I set all flags simply for testing).

Q:  Is there a way to track password updates during the login
process on the console in the audit trail?  If so, how?  I assume
this has to do with pam_unix.so...

Any help appreciated...

 
 
 

BSM, Solaris 8 and auditing changes to /etc/shadow

Post by rrbrow » Mon, 27 Jan 2003 14:25:10


ksh
set -o vi
esc + k to scroll through the cl buffer

> Platforms:  sun4u, sun4m
> OS: Solaris 8 [Solaris 7 and Solaris 9 would be help as well]

> I have a requirement to check for user password updates (not the
> actual passwords, just that a user updated their password).  All
> users on these systems have password expiration configured.  Now,
> users login via the console (non-graphical) and fire up their
> X server of choice.  I ran into an anomily where if a users passwd
> expires and the user if forced to set a new password at login time
> (on the console) I cannot see the sucessfull password update in
> the audit trail.  I then though I might be able to track changes
> to file /etc/shadow, but here again I've run into some strange
> behaviour...  On sun4u platforms I might be able to track
> unlink(2) and link(2), but I was not able to see these on sun4m
> machines (I set all flags simply for testing).

> Q:  Is there a way to track password updates during the login
> process on the console in the audit trail?  If so, how?  I assume
> this has to do with pam_unix.so...

> Any help appreciated...


 
 
 

BSM, Solaris 8 and auditing changes to /etc/shadow

Post by i.. » Tue, 28 Jan 2003 01:26:10



> ksh
> set -o vi
> esc + k to scroll through the cl buffer

This still doesn't show updates to /etc/shadow if the user is required
to set a new password at login time on the console.  audit trail simply
says login successfull.

example:

header,123,2,open(2) - read,,Sun 26 Jan 2003 10:42:11 AM EST, + 426510000 msec,path,/etc/security/audit_control,attribute,100640,root,sys,8388632,22665,0,
subject,test,root,other,root,other,323,323,0 0 place.com,return,success,5
header,134,2,close(2),,Sun 26 Jan 2003 10:42:11 AM EST, + 426510000 msec,argument,1,0x5,fd,path,/etc/security/audit_control,attribute,100640,root,sys,8388
632,22665,0,subject,test,root,other,root,other,323,323,0 0 place.com,return,success,0
header,120,2,open(2) - read,,Sun 26 Jan 2003 10:42:11 AM EST, + 426510000 msec,path,/etc/security/audit_user,attribute,100640,root,sys,8388632,22667,0,sub
ject,test,root,other,root,other,323,323,0 0 place.com,return,success,5
header,120,2,open(2) - read,,Sun 26 Jan 2003 10:42:11 AM EST, + 426510000 msec,path,/etc/security/audit_user,attribute,100640,root,sys,8388632,22667,0,sub
ject,test,root,other,root,other,323,323,0 0 place.com,return,success,6
header,131,2,close(2),,Sun 26 Jan 2003 10:42:11 AM EST, + 426510000 msec,argument,1,0x6,fd,path,/etc/security/audit_user,attribute,100640,root,sys,8388632
,22667,0,subject,test,root,other,root,other,323,323,0 0 place.com,return,success,0
header,131,2,close(2),,Sun 26 Jan 2003 10:42:11 AM EST, + 426510000 msec,argument,1,0x5,fd,path,/etc/security/audit_user,attribute,100640,root,sys,8388632
,22667,0,subject,test,root,other,root,other,323,323,0 0 place.com,return,success,0
header,121,2,open(2) - read,,Sun 26 Jan 2003 10:42:11 AM EST, + 426510000 msec,path,/etc/security/audit_event,attribute,100644,root,sys,8388632,22927,0,su
bject,test,root,other,root,other,323,323,0 0 place.com,return,success,5
header,132,2,close(2),,Sun 26 Jan 2003 10:42:11 AM EST, + 466501000 msec,argument,1,0x5,fd,path,/etc/security/audit_event,attribute,100644,root,sys,838863
2,22927,0,subject,test,root,other,root,other,323,323,0 0 place.com,return,success,0
header,81,2,login - local,,Sun 26 Jan 2003 10:42:11 AM EST, + 466501000 msec,subject,test,test,staff,test,staff,323,323,0 0 place.com,text,
successful login,return,success,0

My current flags are:

dir:/var/audit
flags:lo,ad,cl,fc
#flags:all
minfree:20
naflags:lo,ad,cl,fc

With all flags turned on:

header,123,2,open(2) - read,,Sun 26 Jan 2003 11:25:23 AM EST, + 241157500 msec,path,/etc/security/audit_control,attribute,100640,root,sys,8388632,22665,0,
subject,test,root,other,root,other,542,542,0 0 place.com,return,success,5
header,147,2,ioctl(2),,Sun 26 Jan 2003 11:25:23 AM EST, + 241157500 msec,path,/etc/security/audit_control,attribute,100640,root,sys,8388632,22665,0,argume
nt,2,0x5401,cmd,argument,3,0xeffff49c,arg,subject,test,root,other,root,other,542,542,0 0 place.com,return,failure: Inappropriate ioctl for
device,-1
header,134,2,close(2),,Sun 26 Jan 2003 11:25:23 AM EST, + 241157500 msec,argument,1,0x5,fd,path,/etc/security/audit_control,attribute,100640,root,sys,8388
632,22665,0,subject,test,root,other,root,other,542,542,0 0 place.com,return,success,0
header,120,2,open(2) - read,,Sun 26 Jan 2003 11:25:23 AM EST, + 241157500 msec,path,/etc/security/audit_user,attribute,100640,root,sys,8388632,22667,0,sub
ject,test,root,other,root,other,542,542,0 0 place.com,return,success,5
header,120,2,open(2) - read,,Sun 26 Jan 2003 11:25:23 AM EST, + 241157500 msec,path,/etc/security/audit_user,attribute,100640,root,sys,8388632,22667,0,sub
ject,test,root,other,root,other,542,542,0 0 place.com,return,success,6
header,144,2,ioctl(2),,Sun 26 Jan 2003 11:25:23 AM EST, + 241157500 msec,path,/etc/security/audit_user,attribute,100640,root,sys,8388632,22667,0,argument,
2,0x5401,cmd,argument,3,0xeffff02c,arg,subject,test,root,other,root,other,542,542,0 0 place.com,return,failure: Inappropriate ioctl for dev
ice,-1
header,131,2,close(2),,Sun 26 Jan 2003 11:25:23 AM EST, + 241157500 msec,argument,1,0x6,fd,path,/etc/security/audit_user,attribute,100640,root,sys,8388632
,22667,0,subject,test,root,other,root,other,542,542,0 0 place.com,return,success,0
header,131,2,close(2),,Sun 26 Jan 2003 11:25:23 AM EST, + 241157500 msec,argument,1,0x5,fd,path,/etc/security/audit_user,attribute,100640,root,sys,8388632
,22667,0,subject,test,root,other,root,other,542,542,0 0 place.com,return,success,0
header,121,2,open(2) - read,,Sun 26 Jan 2003 11:25:23 AM EST, + 241157500 msec,path,/etc/security/audit_event,attribute,100644,root,sys,8388632,22927,0,su
bject,test,root,other,root,other,542,542,0 0 place.com,return,success,5
header,145,2,ioctl(2),,Sun 26 Jan 2003 11:25:23 AM EST, + 241157500 msec,path,/etc/security/audit_event,attribute,100644,root,sys,8388632,22927,0,argument
,2,0x5401,cmd,argument,3,0xeffff684,arg,subject,test,root,other,root,other,542,542,0 0 place.com,return,failure: Inappropriate ioctl for de
vice,-1
header,132,2,close(2),,Sun 26 Jan 2003 11:25:23 AM EST, + 281151500 msec,argument,1,0x5,fd,path,/etc/security/audit_event,attribute,100644,root,sys,838863
2,22927,0,subject,test,root,other,root,other,542,542,0 0 place.com,return,success,0
header,121,2,open(2) - read,,Sun 26 Jan 2003 11:25:23 AM EST, + 291155000 msec,path,/etc/security/audit_event,attribute,100644,root,sys,8388632,22927,0,su
bject,test,root,other,root,other,542,542,0 0 place.com,return,success,5
header,145,2,ioctl(2),,Sun 26 Jan 2003 11:25:23 AM EST, + 291155000 msec,path,/etc/security/audit_event,attribute,100644,root,sys,8388632,22927,0,argument
,2,0x5401,cmd,argument,3,0xeffff684,arg,subject,test,root,other,root,other,542,542,0 0 place.com,return,failure: Inappropriate ioctl for de
vice,-1
header,132,2,close(2),,Sun 26 Jan 2003 11:25:23 AM EST, + 301156500 msec,argument,1,0x5,fd,path,/etc/security/audit_event,attribute,100644,root,sys,838863
2,22927,0,subject,test,root,other,root,other,542,542,0 0 place.com,return,success,0
header,81,2,login - local,,Sun 26 Jan 2003 11:25:23 AM EST, + 301156500 msec,subject,test,test,staff,test,staff,542,542,0 0 place.com,text,
successful login,return,success,0

Ian

 
 
 

BSM, Solaris 8 and auditing changes to /etc/shadow

Post by Elia » Tue, 28 Jan 2003 02:45:28




>>ksh
>>set -o vi
>>esc + k to scroll through the cl buffer

> This still doesn't show updates to /etc/shadow if the user is required
> to set a new password at login time on the console.  audit trail simply
> says login successfull.

> example:

...snip...

Quote:> Ian

You were right originally about it being a PAM thing.  You have to
implement PAM and configure it correctly for it to work though.

This is the big PAM page
http://docs.sun.com/db/doc/805-7229/6j6q8svdi?a=view

And specifically for Unix login:
http://docs.sun.com/db/doc/806-0634/6j9vo5amj?a=view

 
 
 

BSM, Solaris 8 and auditing changes to /etc/shadow

Post by i.. » Tue, 28 Jan 2003 03:53:12



> You were right originally about it being a PAM thing.  You have to
> implement PAM and configure it correctly for it to work though.

> This is the big PAM page
> http://docs.sun.com/db/doc/805-7229/6j6q8svdi?a=view

> And specifically for Unix login:
> http://docs.sun.com/db/doc/806-0634/6j9vo5amj?a=view

Ugh, this does give me the info I'm looking for.  I was really
hoping the BSM would provide me this reporting so that I can
have one place, one tool to get data from in doing some audit
reduction.  Now I will have to include syslog file data into
the mix.

On a side note, I'm at a loss as to why Solaris PAM does not work
with the BSM given what the BSM is for...  $.02

Many thanks to all whom replied...  ;)

Ian

 
 
 

BSM, Solaris 8 and auditing changes to /etc/shadow

Post by Casper H.S. Di » Fri, 31 Jan 2003 21:57:46




>> ksh
>> set -o vi
>> esc + k to scroll through the cl buffer
>This still doesn't show updates to /etc/shadow if the user is required
>to set a new password at login time on the console.  audit trail simply
>says login successfull.

That might be because the passwd is changed before the audit attributes
are set.  That's probably a bug.

Casper
--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

 
 
 

1. BSM doesn't audit the script in /etc/rc3.d

Hi! everybody.

I monitor a bsm log about users activity.
Recently I discover that bsm doesn't audit about activicy in
/etc/rc*.d script.

so in order to prove this I made a test script.

/etc/init.d/ls_root
/etc/rc3.d/S100ls_root
---------------------------------
......

while true;
do
    ls > ls_root.txt
    sleep;
done
---------------------------------

ls_root.txt file time is changed but audit log isn't create.
Other activity is normally audited by auditd, I can see their audit log.
ls_root script in /etc/rc*.d isn't audited.

I think auditd has to creat below audit log

fork
execve(ls)
write
exit

What's wrong?
Is normal? or wrong configuration?

Does anyone know this reason or solution?

Thanks in advance.

2. WWW Space - $99 Year!

3. changing passwd on NIS server updates /etc/shadow only and not shadow.byname map

4. Shared library compatibility probs

5. Thoughts on Solaris BSM Auditing

6. Sharing data between applications

7. Auditing printing using Solaris BSM.

8. Apache 1.3b6 compil problem/AIX 4.1/gcc

9. Adding Solaris BSM auditing to a program

10. Solaris 8 BSM audit data error

11. bsm pr audit under solaris 8

12. How does Solaris BSM audit work?

13. Help: Creating Concise Solaris BSM Audit Trails