BSM on 2.5.1 not working

BSM on 2.5.1 not working

Post by Bob Tann » Sat, 18 Jul 1998 04:00:00



I recently activated BSM on a Sparc5 running Solaris 2.5.1. Running
the audit files through praudit I am getting very weird results.

header,102,2,execve(2),,Thu Jul 16 23:24:32 1998, + 355502906 msec
path,/usr/bin/w
attribute,104555,root,bin,8388638,2488,0
subject,-2,root,other,root,other,357,0,0 0 0.0.0.0
return,success,0

I am not sure that -2 is coming from, or why it is there. I would
like to use BSM to track illegal root transitions. I am following the
article in Sys Admin, August Issue. pg 29.

--

http://www.real-time.com                | Fax   : (612)943-8500
Key fingerprint =  6C E9 51 4F D5 3E 4C 66 62 A9 10 E5 35 85 39 D9

 
 
 

1. How does Solaris BSM aduit work?

I am using Solaris 2.5 on a Sparc-5, and I have the BSM audit turned on.

The audit function works as the document says until I find the
following:

Telnet sessions that went in through kerberos telnetd were not audited,
but telnet through Solaris telnetd is audited. Run su from a kerberos
telnet shell, the commands issued in the subsequent shell forked out
from su get auditing.

I assume that kerberos did not set the audit user id, "setauid()" that
results this problem. I changed the login.krb5 login program of kerberos

and patched it to call setauid() to set the audit user id to login user
id before set the real user id. Yet login session through kerberos
telnet still not audited.

Anyone can enlight me on this?

Thanks

Fu Ming

2. Matrox Millenium PnP with non-PnP motherboard?

3. How does Solaris BSM audit work?

4. Canon S10 Camera w/USB?

5. Kernel-nfs working, plain nfs not working.

6. Newbie problem...Dual ethernet cards

7. USB not working with 2.5.69, worked with .68

8. Q: Sendmail V8

9. PPP working, /etc/ppp/ip-up not working, HELP Please

10. smtp mmdf not working for SCO 5.0 (send ok but not receive)

11. Kernel Compile - cdrom will not work, modules are not presents

12. PPPD w/ PAP not working, works fine w/o PAP

13. tcp wrappers not working right - Solaris 8 - not an IPV6 problem