Thoughts on Solaris BSM Auditing

Thoughts on Solaris BSM Auditing

Post by Robert Ada » Thu, 30 Jun 1994 04:07:16


I'd like to poll the Solaris security community to get your
thoughts and ideas surrounding the Solaris 2.X Shield Basic
Security Module auditing features.

I have been tasked with the evaluation and configuration of
BSM (C-2) auditing on our Solaris 2.X systems. Please send me E-Mail
giving your thoughts and ideas (Good and bad) on some of the following:

1.      What events are you auditing?
2.      How do you control the audit files?
3.      What is the size of your user base?
4.      How much space do the audit files consume?
5.      Do you think it's worth it?
6.      How do you monitor for significant events ?
7.      Is there a better way ?
8.      What problems did you have setting up BSM ?
9.      Is there a way to customize the events and classes?
10.     If so, what type of customizations did you make?
11.     Are you able to audit custom applications ?

Thanks for your help.

Bob Adams
Eastman Kodak Company



1. BSM, Solaris 8 and auditing changes to /etc/shadow

Platforms:  sun4u, sun4m
OS: Solaris 8 [Solaris 7 and Solaris 9 would be help as well]

I have a requirement to check for user password updates (not the
actual passwords, just that a user updated their password).  All
users on these systems have password expiration configured.  Now,
users login via the console (non-graphical) and fire up their
X server of choice.  I ran into an anomily where if a users passwd
expires and the user if forced to set a new password at login time
(on the console) I cannot see the sucessfull password update in
the audit trail.  I then though I might be able to track changes
to file /etc/shadow, but here again I've run into some strange
behaviour...  On sun4u platforms I might be able to track
unlink(2) and link(2), but I was not able to see these on sun4m
machines (I set all flags simply for testing).

Q:  Is there a way to track password updates during the login
process on the console in the audit trail?  If so, how?  I assume
this has to do with

Any help appreciated...

2. Alias and tcsh...

3. Auditing printing using Solaris BSM.

4. Update module of shared lib?

5. Adding Solaris BSM auditing to a program

6. Removing Lock/Logout from tray

7. Solaris 8 BSM audit data error

8. How I can create shared library

9. bsm pr audit under solaris 8

10. How does Solaris BSM audit work?

11. Help: Creating Concise Solaris BSM Audit Trails

12. Does *anyone* use BSM (auditing)

13. configuring auditing on 2.3 with the BSM