Solaris 8 BSM audit data error

Solaris 8 BSM audit data error

Post by chunm » Thu, 09 Oct 2003 15:32:41



Hi.

I found some BSM audit data error.
When someone log-in to system, the source IP doesn't match to real IP address.
I saw ASCII data converted by praudit command.
Our E10000 system using Solaris 8(10/01) 64-bit kenel.
Should I do some patches?

Hope advice,
Chun-Mok.

 
 
 

Solaris 8 BSM audit data error

Post by Philip Bro » Fri, 24 Oct 2003 04:57:15



Quote:>Hi.

>I found some BSM audit data error.
>When someone log-in to system, the source IP doesn't match to real IP address.
>I saw ASCII data converted by praudit command.
>Our E10000 system using Solaris 8(10/01) 64-bit kenel.
>Should I do some patches?

only if "who" matches what you think it should be.
if "who" agrees with the praudit data, then probably the "real" address is
being NATted, and the system has no way to tell what the "real" address is.
As far as it is concerned, the address it is reporting, IS the "real"
address.

--
  http://www.blastwave.org/ for solaris pre-packaged binaries with pkg-get
    Organized by the author of pkg-get
[Trim the no-bots from my address to reply to me by email!]

                            http://www.spamlaws.com/state/ca1.html

 
 
 

1. BSM, Solaris 8 and auditing changes to /etc/shadow

Platforms:  sun4u, sun4m
OS: Solaris 8 [Solaris 7 and Solaris 9 would be help as well]

I have a requirement to check for user password updates (not the
actual passwords, just that a user updated their password).  All
users on these systems have password expiration configured.  Now,
users login via the console (non-graphical) and fire up their
X server of choice.  I ran into an anomily where if a users passwd
expires and the user if forced to set a new password at login time
(on the console) I cannot see the sucessfull password update in
the audit trail.  I then though I might be able to track changes
to file /etc/shadow, but here again I've run into some strange
behaviour...  On sun4u platforms I might be able to track
unlink(2) and link(2), but I was not able to see these on sun4m
machines (I set all flags simply for testing).

Q:  Is there a way to track password updates during the login
process on the console in the audit trail?  If so, how?  I assume
this has to do with pam_unix.so...

Any help appreciated...

2. HELP! 1GB on 164UX-4

3. Thoughts on Solaris BSM Auditing

4. kernel traffic page not updated since Feb 9

5. Auditing printing using Solaris BSM.

6. Reading directories with Linux in C

7. Adding Solaris BSM auditing to a program

8. Sun OS manuals

9. bsm pr audit under solaris 8

10. How does Solaris BSM audit work?

11. Help: Creating Concise Solaris BSM Audit Trails

12. BSM data error after inetd restart

13. Does *anyone* use BSM (auditing)