Very Computer

by **Fu Min** » Tue, 17 Feb 1998 04:00:00

I am running Solaris 2.5 on a sparc-5.

I find the following problem when I run MIT kerberos telnetd and Solaris
BSM audit, the basic security module.

The auditd does not log info of any event of remote sessions connected
through the kerberos telnetd. At the same time, auditd works fine in
logging events of local login sessions and remote connection through
rlogind. If inside a remote login session through the kerberos telnetd,
I run su to root, then all events initiated from the root shell were
logged.

Change the telnetd back to the default Solarsi version correct the
problem.

I was wondering where does the auditd get execution event information, I
guess it shuold come from the Solaris kernel, this should not be related
to a user level application like telnetd, am I right?

Any help is appreciated.

Fu Ming

by **Casper H.S. Dik - Network Security Engine** » Tue, 17 Feb 1998 04:00:00

[[ PLEASE DON'T SEND ME EMAIL COPIES OF POSTINGS ]]

>I was wondering where does the auditd get execution event information, I
>guess it shuold come from the Solaris kernel, this should not be related
>to a user level application like telnetd, am I right?

Not quite; the telnetd application has hooks to enable the kernel audit
data.

Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

Very Computer

Question about Solaris BSM and Auditd

Question about Solaris BSM and Auditd

Question about Solaris BSM and Auditd