by Bob » Fri, 05 Dec 1997 04:00:00
I'm just curious. We're running a Sprac 3000 w/ 2.5.1 - our auditors
insist on us providing information that requires the auditting software
(enabled by running bsmconv, then configuring audit_control, etc).
Is anyone out there using this? Any help hints you can give me?
- Bob N.
by sp00 » Wed, 10 Dec 1997 04:00:00
Read the BSM manual, and make shure you audit the events you want toQuote:>I'm just curious. We're running a Sprac 3000 w/ 2.5.1 - our auditors
>insist on us providing information that requires the auditting software
>(enabled by running bsmconv, then configuring audit_control, etc).
>Is anyone out there using this? Any help hints you can give me?
>- Bob N.
by Richard B. John » Thu, 11 Dec 1997 04:00:00
Read the BSM manual, and make shure you audit the events you want to
Howdy.Quote:> audit, Personally just from playing with it, the output is very terse,
> but it does log everything if u set it up right.... and there is no
> way to remove the module w/o rebooting and running the bsmunconv
> script, so if you send all that data to a remote machine that is
> secure, you should be set..... becarefull on what u set as far as
> flags and what to log, you can fill a good 1-2 gig drive up in qa day
> on a personal workstation if the audit flags are wrong. the "auditors"
> do they know how to read the cryptic output of the module? I mean you
> have to know what the hell you are doing for those logs to make any
> sense....... otherwise your wasting CPU cycles and space... In the
> answerbook or if you have the hard copy documentation set for sun
> they have a good 100 pages on setting it up and what to audit etc...
Since BSM provides the security features defined as C2, a number of
military systems that I've worked on have had BSM enabled. However,
auditing will fill up /var and hose your system faster than most anything
I've seen. Plus there are hard and soft limits and all sorts of stuff that
can be audited. On one system I worked on, we had a requirement to turn
BSM on, but we didn't have anything configured to audit so we met the
requirement (auditing enable, but they never told us what they wanted
audited).
Only root (or a UID of 0) can review the logs, trim the logs, print the
logs and do whatever needs to be done to administer the auditing logs. You
must use special commands like `auditreduce` and `praudit` to get the logs
into a human readable format and to print them.
All I can say is good luck.
Regards,
Rich Johns
1. Is *anyone* using the BSM/audit features?
(If emailing, use "bobn at interaccess dot com")
Am I the only one on the planet using this? Just curious, and if so,
how do the rest of you satisfy your audit person's desire that you be
able to account for who did what to which and when did they do it?
3. Auditing printing using Solaris BSM.
4. static ARP increases network security ?
6. include/gnu
7. BSM, Solaris 8 and auditing changes to /etc/shadow
8. Turning off precompression1 in PPP from Solaris 2.5
9. Thoughts on Solaris BSM Auditing
10. configuring auditing on 2.3 with the BSM
11. Viable solution for reading BSM audit records
12. Adding Solaris BSM auditing to a program
13. Solaris 8 BSM audit data error