Help: Creating Concise Solaris BSM Audit Trails

Help: Creating Concise Solaris BSM Audit Trails

Post by Jeff Shephe » Tue, 15 Aug 1995 04:00:00

Have recently been introduced to Solaris BSM and audit trails.  I have
been working with auditreduce and praudit to get more manageable output.
I called Sun Service to find out if there is any way to get nicer, more
concise output than what praudit produces.  They said yes, but I needed to
write a script to format the output to my pleasure.

Is there anyone that has already created the framework of a praudit 'nice'
formatter and is willing to share?  Perhaps there is an archive out there
I could be pointed to.  I'm eager to do more footwork if I'm pointed in
the right direction.

- Jeff -


1. BSM, Solaris 8 and auditing changes to /etc/shadow

Platforms:  sun4u, sun4m
OS: Solaris 8 [Solaris 7 and Solaris 9 would be help as well]

I have a requirement to check for user password updates (not the
actual passwords, just that a user updated their password).  All
users on these systems have password expiration configured.  Now,
users login via the console (non-graphical) and fire up their
X server of choice.  I ran into an anomily where if a users passwd
expires and the user if forced to set a new password at login time
(on the console) I cannot see the sucessfull password update in
the audit trail.  I then though I might be able to track changes
to file /etc/shadow, but here again I've run into some strange
behaviour...  On sun4u platforms I might be able to track
unlink(2) and link(2), but I was not able to see these on sun4m
machines (I set all flags simply for testing).

Q:  Is there a way to track password updates during the login
process on the console in the audit trail?  If so, how?  I assume
this has to do with

Any help appreciated...

2. lpd: job could not connect to remote printer

3. Thoughts on Solaris BSM Auditing

4. RPC and multithreading under Solaris 1

5. Auditing printing using Solaris BSM.

6. NFS reporting

7. Adding Solaris BSM auditing to a program

8. SCSI device hung: What happens if I turn it off ?

9. Solaris 8 BSM audit data error

10. bsm pr audit under solaris 8

11. How does Solaris BSM audit work?

12. Looking for Solaris C2 Audit Trails

13. Does *anyone* use BSM (auditing)