BSM question

BSM question

Post by nosp » Wed, 06 Oct 1999 04:00:00




>can anyone suggest a good reference on using BSM, configuring to detect
>security violations, and understanding it's output. thanks.

There are several good articles online that discuss this in varying degrees
of detail, there was one big article on automatically detecting root
transitions, it was in SysAdmin or SunWorld...

See also:
        http://olympus.cs.ucdavis.edu/misuse/prototypes/bsm.html

As docs.sun.com says 'an improperly set up audit system can fill up a
hard drive in minutes'. BSM generates massive amounts of data.

 
 
 

BSM question

Post by ten.. » Thu, 07 Oct 1999 04:00:00


can anyone suggest a good reference on using BSM, configuring to detect
security violations, and understanding it's output. thanks.

Sent via Deja.com http://www.deja.com/
Before you buy.

 
 
 

BSM question

Post by ten.. » Thu, 07 Oct 1999 04:00:00





> >can anyone suggest a good reference on using BSM, configuring to
detect
> >security violations, and understanding it's output. thanks.

> There are several good articles online that discuss this in varying
degrees
> of detail, there was one big article on automatically detecting root
> transitions, it was in SysAdmin or SunWorld...

> See also:
>    http://olympus.cs.ucdavis.edu/misuse/prototypes/bsm.html

> As docs.sun.com says 'an improperly set up audit system can fill up a
> hard drive in minutes'. BSM generates massive amounts of data.

thanks. if someone has the links to the article, kindly send me an
email. i'm checking sunworld and sysadmin. hope i could find it. tia.

Sent via Deja.com http://www.deja.com/
Before you buy.

 
 
 

1. BSM question

Hi,

I am currently experimenting BSM on a Solaris workstation, and more
precisely, I am trying to write a program to manipulate a BSM audit
file (it can be seen as a "praudit"-like program).  

Therefore, I am looking for functions which read a BSM file, and fill
some BSM structures defined in the header file "bsm_record.h"

In the header file "libbsm.h" installed on my machine (a Sun SPARC with
Solaris 2.7), one can find :

|

|
  .......

|
| /*
|  * Functions that do I/O for audit files
|  */
|
| #ifdef  __STDC__
| extern int      au_close(int, int, short);
| extern int      au_open(void);
| extern int      au_write(int, token_t *);
| extern int      au_read_rec(FILE *, char **);
| extern int      au_fetch_tok(au_token_t *, char *, int);
| extern int      au_print_tok(FILE *, au_token_t *, char *, char *, char *,
int);
|

The first three functions ("au_close", "au_open", "au_write") are documented
in the man pages, but do not correspond to my needs

On the opposite, I cannot find any information about the three others,
and I have the feeling they correspond to what I am looking for
(especially "au_read_rec" and "au_fetch_tok").

I have tried to "discover" what is done by these functions by implementing a
short
program which used these functions. When compiling this program, the linker
produces
an "undefined symbol" error. Indeed, executing "nm" on "libbsm.a" shows that
there
is no symbol corresponding to these functions

Can anybody here give me some more information about these functions ? Are they
really
implemented ?

If I'm in the wrong way, can you give me some references to the well-suited
documentation ??

Thanks in advance

--
jpp

2. question about fast wide and fast wide diff drives

3. Unreadable Fonts In X Apps

4. ASET and BSM questions

5. using linux as cisco router

6. BSM question...

7. Korn Shell & Cshell question

8. BSM Solaris - question of return value

9. Question about Solaris BSM and Auditd

10. Log file for BSM (auditd)

11. BSM audit_user file

12. BSM (c2) on Sol2.1 problems?