Board index Unix Security

How does Solaris BSM audit work?

How does Solaris BSM audit work?

Post by Fu Min » Sun, 22 Mar 1998 04:00:00



I am using Solaris 2.5 on a Sparc-5, and I have the BSM audit turned on.
The audit function works as the document says until I find the
following:

Telnet sessions that went in through kerberos telnetd were not audited,
but telnet through Solaris telnetd is audited. Run su from a kerberos
telnet shell, the commands issued in the subsequent shell forked out
from su get auditing.

I assume that kerberos did not set the audit user id, "setauid()" that
results this problem. I changed the login.krb5 login program of kerberos
and patched it to call setauid() to set the audit user id to login user
id before set the real user id. Yet login session through kerberos
telnet still not audited.

Anyone can enlight me on this?

Thanks

Fu Ming

 
 
 
Top

How does Solaris BSM audit work?

Post by Casey Schaufle » Tue, 24 Mar 1998 04:00:00



> I am using Solaris 2.5 on a Sparc-5, and I have the BSM audit turned on.
> The audit function works as the document says until I find the
> following:

> Telnet sessions that went in through kerberos telnetd were not audited,
> but telnet through Solaris telnetd is audited. Run su from a kerberos
> telnet shell, the commands issued in the subsequent shell forked out
> from su get auditing.

The audit system of SunOS and Solaris depends on the authentication
program (e.g. telnet, su, login) to set the list of events to audit
for the subsequent session.

Quote:> I assume that kerberos did not set the audit user id, "setauid()" that
> results this problem. I changed the login.krb5 login program of kerberos
> and patched it to call setauid() to set the audit user id to login user
> id before set the real user id. Yet login session through kerberos
> telnet still not audited.

While setting the auid is necessary, it is not sufficient. I'd think
that the setauid man page would refer you to the function required
(it used to, once apon a time) to set the process auidt mask.  

--

Casey Schaufler                         voice: (650) 933-1634



 
 
 
Top

1. BSM, Solaris 8 and auditing changes to /etc/shadow

Platforms:  sun4u, sun4m
OS: Solaris 8 [Solaris 7 and Solaris 9 would be help as well]

I have a requirement to check for user password updates (not the
actual passwords, just that a user updated their password).  All
users on these systems have password expiration configured.  Now,
users login via the console (non-graphical) and fire up their
X server of choice.  I ran into an anomily where if a users passwd
expires and the user if forced to set a new password at login time
(on the console) I cannot see the sucessfull password update in
the audit trail.  I then though I might be able to track changes
to file /etc/shadow, but here again I've run into some strange
behaviour...  On sun4u platforms I might be able to track
unlink(2) and link(2), but I was not able to see these on sun4m
machines (I set all flags simply for testing).

Q:  Is there a way to track password updates during the login
process on the console in the audit trail?  If so, how?  I assume
this has to do with pam_unix.so...

Any help appreciated...

2. NFS problem with linux and AIX 4.3.2

3. Thoughts on Solaris BSM Auditing

4. CU wedged error

5. Auditing printing using Solaris BSM.

6. Mirage Z-128 PCI

7. Adding Solaris BSM auditing to a program

8. Quiz Question

9. Solaris 8 BSM audit data error

10. bsm pr audit under solaris 8

11. Help: Creating Concise Solaris BSM Audit Trails

12. Does *anyone* use BSM (auditing)

13. configuring auditing on 2.3 with the BSM


All times are UTC
Board index