Auditing in Solaris 9/10

Auditing in Solaris 9/10

Post by Rodrick Brow » Sun, 23 Oct 2005 12:48:56



Because of new laws mandated to us we have to enable auditing for all users
who are using escalated privledges via RBAC, I started looking into this and
I found BSM which seems very complex and clearly needs to be well taught out
if you plan to roll it out successfully, anyone know if BSM is the only way
to go? I need to do this for Solaris 9 and 10 hosts thanks.

--
Rodrick R. Brown
Unix Systems Admin
http://www.rodrickbrown.com

When in 1986 Apple bought a Cray X-MP and announced that they would use it
to design the next Apple Macintosh, Seymour Cray replied, "This is very
interesting because I am using an Apple Macintosh to design the Cray-2
supercomputer."

 
 
 

Auditing in Solaris 9/10

Post by Casper H.S. Di » Sun, 23 Oct 2005 18:04:53



>Because of new laws mandated to us we have to enable auditing for all users
>who are using escalated privledges via RBAC, I started looking into this and
>I found BSM which seems very complex and clearly needs to be well taught out
>if you plan to roll it out successfully, anyone know if BSM is the only way
>to go? I need to do this for Solaris 9 and 10 hosts thanks.

Yes.  That's the tool we provide to do this.

Casper
--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

 
 
 

Auditing in Solaris 9/10

Post by Erlend Legange » Mon, 24 Oct 2005 05:36:41


Rodrick Brown wrote on 2005-10-22 05:48:

Quote:> Because of new laws mandated to us we have to enable auditing for all users
> who are using escalated privledges via RBAC, I started looking into this and
> I found BSM which seems very complex and clearly needs to be well taught out
> if you plan to roll it out successfully, anyone know if BSM is the only way
> to go? I need to do this for Solaris 9 and 10 hosts thanks.

Take it from a BSM user - if you read up on the documentation and put
your mind to it, it isn't very difficult to set up.

The tricky part is handling the massive log data that will be generated
(or to tweak BSM not to log too much) and how to dig into the logs when
you are looking for a special incident. Personally I have found bsmGUI
to be a very nice front end for this purpose:
http://home.twmi.rr.com/jayd/bsm.html. I'm using it on Solaris 8 2/02,
but I see that it supports Sol9,10 as well.

--
- Erlend Leganger

 
 
 

Auditing in Solaris 9/10

Post by Geoff Lan » Mon, 24 Oct 2005 16:23:28



> Rodrick Brown wrote on 2005-10-22 05:48:
>> Because of new laws mandated to us we have to enable auditing for all users
>> who are using escalated privledges via RBAC, I started looking into this and
>> I found BSM which seems very complex and clearly needs to be well taught out
>> if you plan to roll it out successfully, anyone know if BSM is the only way
>> to go? I need to do this for Solaris 9 and 10 hosts thanks.

> Take it from a BSM user - if you read up on the documentation and put
> your mind to it, it isn't very difficult to set up.

> The tricky part is handling the massive log data that will be generated
> (or to tweak BSM not to log too much) and how to dig into the logs when
> you are looking for a special incident. Personally I have found bsmGUI
> to be a very nice front end for this purpose:
> http://home.twmi.rr.com/jayd/bsm.html. I'm using it on Solaris 8 2/02,
> but I see that it supports Sol9,10 as well.

It really is worth the effort.  The system overhead is low, but you do have
to put some thought into how the data is managed.  I'm currently replacing a
"tripwire" like facility with an analysis of the log entries relating to
"opened for write" files.  Now no intrusive scan of a multi terabyte file system
looking for changes is required.

--
Geoff Lane

The truth is a virus.....