by ns » Thu, 10 Mar 2005 23:18:13
- I enabled BSM by runing the script /etc/security/bsmconv
- The file /etc/system is updated. I reboot the server.
- The process auditd is started at boot.
Now, i have binary file in directory :
/var/audit/20050309114754.not_terminated.MyServer
Can you tell me how can i read this file ?
Where process auditd log data (/var/adm/messages... ?)
Does BSM consume lot of Memory/CPU ?
ThankYou very much for your help
NS
by ns » Thu, 10 Mar 2005 23:31:01
But does BSM use lot of Memory/CPU ?
Thank You very much
Best Regards
NS
Quote:> Hi all,
> - I enabled BSM by runing the script /etc/security/bsmconv
> - The file /etc/system is updated. I reboot the server.
> - The process auditd is started at boot.
> Now, i have binary file in directory :
> /var/audit/20050309114754.not_terminated.MyServer
> Can you tell me how can i read this file ?
> Where process auditd log data (/var/adm/messages... ?)
> Does BSM consume lot of Memory/CPU ?
> ThankYou very much for your help
> NS
by Jay G. Sco » Fri, 11 Mar 2005 04:57:12
>But does BSM use lot of Memory/CPU ?
i think it matters how much stuff you record in the audit.
if you gather a lot of stuff, it takes more.
probably more important is the age of the machine. there's a
machine here with CPUs at 300MHz, i think that's right, and
it was painful enough to make them stop doing it. the people
involved were fairly impatient, so it may have been around
10%. which is a lot, but....
on my 880, i turned it off and nobody noticed anything.
j.
>Thank You very much
>Best Regards
>NS
>> Hi all,
>> - I enabled BSM by runing the script /etc/security/bsmconv
>> - The file /etc/system is updated. I reboot the server.
>> - The process auditd is started at boot.
>> Now, i have binary file in directory :
>> /var/audit/20050309114754.not_terminated.MyServer
>> Can you tell me how can i read this file ?
>> Where process auditd log data (/var/adm/messages... ?)
>> Does BSM consume lot of Memory/CPU ?
>> ThankYou very much for your help
>> NS
by Geoff Lan » Fri, 11 Mar 2005 04:23:25
I run a limited bsm audit on everything from a ultra5 to an 880 with noQuote:> on my 880, i turned it off and nobody noticed anything.
--
Geoff Lane
Any comedy program described a "Zany" in the program guide will be rubbish.
1. Question about Solaris BSM and Auditd
I am running Solaris 2.5 on a sparc-5.
I find the following problem when I run MIT kerberos telnetd and Solaris
BSM audit, the basic security module.
The auditd does not log info of any event of remote sessions connected
through the kerberos telnetd. At the same time, auditd works fine in
logging events of local login sessions and remote connection through
rlogind. If inside a remote login session through the kerberos telnetd,
I run su to root, then all events initiated from the root shell were
logged.
Change the telnetd back to the default Solarsi version correct the
problem.
I was wondering where does the auditd get execution event information, I
guess it shuold come from the Solaris kernel, this should not be related
to a user level application like telnetd, am I right?
Any help is appreciated.
Fu Ming
3. bsm doesn't log file changes thru telnet/ftp
5. How can I split a log file into several log files?
6. How to change the modules loaded?
7. wierd stuffs in proxy log file and back end server log file
8. Newbie...I failed to configure my external USR 56k modem
10. Help with log files on /var/log/*
11. nulling a log process log file
12. how do you log all that is displayed on the terminal to a log file ?