I recently activated BSM on a Sparc5 running Solaris 2.5.1. Running
the audit files through praudit I am getting very weird results.
header,102,2,execve(2),,Thu Jul 16 23:24:32 1998, + 355502906 msec
subject,-2,root,other,root,other,357,0,0 0 0.0.0.0
I am not sure that -2 is coming from, or why it is there. I would
like to use BSM to track illegal root transitions. I am following the
article in Sys Admin, August Issue. pg 29.
http://www.real-time.com | Fax : (612)943-8500
Key fingerprint = 6C E9 51 4F D5 3E 4C 66 62 A9 10 E5 35 85 39 D9