Does *anyone* use BSM (auditing)

Does *anyone* use BSM (auditing)

Post by Bob » Fri, 05 Dec 1997 04:00:00



I'm just curious.  We're running a Sprac 3000 w/ 2.5.1 - our auditors
insist on us providing information that requires the auditting software
(enabled by running bsmconv, then configuring audit_control, etc).

Is anyone out there using this?  Any help hints you can give me?

- Bob N.

 
 
 

Does *anyone* use BSM (auditing)

Post by sp00 » Wed, 10 Dec 1997 04:00:00



Quote:>I'm just curious.  We're running a Sprac 3000 w/ 2.5.1 - our auditors
>insist on us providing information that requires the auditting software
>(enabled by running bsmconv, then configuring audit_control, etc).

>Is anyone out there using this?  Any help hints you can give me?

>- Bob N.

Read the BSM manual, and make shure you audit the events you want to
audit, Personally just from playing with it, the output is very terse,
but it does log everything if u set it up right.... and there is no
way to remove the module w/o rebooting and running the bsmunconv
script, so if you send all that data to a remote machine that is
secure, you should be set..... becarefull on what u set as far as
flags and what to log, you can fill a good 1-2 gig drive up in qa day
on a personal workstation if the audit flags are wrong. the "auditors"
do they know how to read the cryptic output of the module? I mean you
have to know what the hell you are doing for those logs to make any
sense....... otherwise your wasting CPU cycles and space... In the
answerbook or if you have the hard copy  documentation set for sun
they have a good 100 pages on setting it up and what to audit etc...

 
 
 

Does *anyone* use BSM (auditing)

Post by Richard B. John » Thu, 11 Dec 1997 04:00:00


Read the BSM manual, and make shure you audit the events you want to

Quote:> audit, Personally just from playing with it, the output is very terse,
> but it does log everything if u set it up right.... and there is no
> way to remove the module w/o rebooting and running the bsmunconv
> script, so if you send all that data to a remote machine that is
> secure, you should be set..... becarefull on what u set as far as
> flags and what to log, you can fill a good 1-2 gig drive up in qa day
> on a personal workstation if the audit flags are wrong. the "auditors"
> do they know how to read the cryptic output of the module? I mean you
> have to know what the hell you are doing for those logs to make any
> sense....... otherwise your wasting CPU cycles and space... In the
> answerbook or if you have the hard copy  documentation set for sun
> they have a good 100 pages on setting it up and what to audit etc...

Howdy.

Since BSM provides the security features defined as C2, a number of
military systems that I've worked on have had BSM enabled.  However,
auditing will fill up /var and hose your system faster than most anything
I've seen.  Plus there are hard and soft limits and all sorts of stuff that
can be audited.  On one system I worked on, we had a requirement to turn
BSM on, but we didn't have anything configured to audit so we met the
requirement (auditing enable, but they never told us what they wanted
audited).

Only root (or a UID of 0) can review the logs, trim the logs, print the
logs and do whatever needs to be done to administer the auditing logs.  You
must use special commands like `auditreduce` and `praudit` to get the logs
into a human readable format and to print them.

All I can say is good luck.

Regards,

Rich Johns

 
 
 

1. Is *anyone* using the BSM/audit features?

(If emailing, use "bobn at interaccess dot com")

Am I the only one on the planet using this?  Just curious, and if so,
how do the rest of you satisfy your audit person's desire that you be
able to account for who did what to which and when did they do it?

2. Promise Ultra 66

3. Auditing printing using Solaris BSM.

4. static ARP increases network security ?

5. Anyone using xdm and BSM?

6. include/gnu

7. BSM, Solaris 8 and auditing changes to /etc/shadow

8. Turning off precompression1 in PPP from Solaris 2.5

9. Thoughts on Solaris BSM Auditing

10. configuring auditing on 2.3 with the BSM

11. Viable solution for reading BSM audit records

12. Adding Solaris BSM auditing to a program

13. Solaris 8 BSM audit data error