Audit subsystem in Solaris is very powerful and can give you a lot of information. In this first article I will give you example how to play with audit for monitoring user actions
1. Check the user i want to monitor
# id test1
uid=200(test1) gid=1(other)
2. And the actions I want to record
# cat /etc/security/audit_class
#
.....
# File Format:
#
# mask:name:description
#
0x00000000:no:invalid class
...
0xffffffff:all:all classes (meta-class)
Of course in above file you will see much more classes and you can set to monitor and audit only part of them, but for this example I will use monitoring all
3. Set user and classes
# cat /etc/security/audit_user
#
...
# username:always:never
#
root:lo:no
test1:all:no
So here I will monitor everything and no exceptions
4. Run bsmconv because of first usage of audit
# /etc/security/bsmconv
This script is used to enable the Basic Security Module (BSM).
Shall we continue with the conversion now? [y/n] y
bsmconv: INFO: checking startup file.
bsmconv: INFO: turning on audit module.
bsmconv: INFO: initializing device allocation.
The Basic Security Module is ready.
If there were any errors, please fix them now.
Configure BSM by editing files located in /etc/security.
Reboot this system now to come up with BSM enabled.
5. And reboot
# init 6
updating /platform/i86pc/boot_archive
6. Login as test1 do some actions and exit
login as: test1
Password:
Last login: Sun Sep 26 10:13:00 2010 from 10.1.0.1
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
$ pwd
/export/home/test1
$ ls
$ df -k .
Filesystem kbytes used avail capacity Mounted on
/dev/dsk/c1t0d0s7 248647 1042 222741 1% /export/home
$ /usr/sbin/mkfile 10m aa
$ ls -l
total 20496
-rw------- 1 test1 other 10485760 Sep 26 10:13 aa
$ exit
7. Check the audit file(s)
# cd /var/audit
# ls -l
total 128
-rw------- 1 root root 64370 Sep 26 10:16 20100926081119.20100926081640.sol01
8. Browse the content of this audit file
# praudit 20100926081119.20100926081640.sol01
...
header,134,2,execve(2),,sol01,2010-09-26 10:13:35.371 +02:00
path,/usr/sbin/mkfile
attribute,100555,root,bin,3,853,0
subject,test1,test1,other,test1,other,704,3761557250,9027 71168 10.1.0.1
return,success,0
header,102,2,open(2) - read,fe,sol01,2010-09-26 10:13:35.371 +02:00
path,/var/ld/ld.config
subject,test1,test1,other,test1,other,704,3761557250,9027 71168 10.1.0.1
return,failure: No such file or directory,-1
header,114,2,munmap(2),,sol01,2010-09-26 10:13:35.371 +02:00
argument,1,0xfef8e000,addr
argument,2,0x10000,len
subject,test1,test1,other,test1,other,704,3761557250,9027 71168 10.1.0.1
return,success,0
header,168,2,memcntl(2),,sol01,2010-09-26 10:13:35.371 +02:00
argument,1,0xfee80000,base
argument,2,0x1e4b0,len
argument,3,0x4,cmd
argument,4,0x3,arg
argument,5,0x0,attr
argument,6,0x0,mask
subject,test1,test1,other,test1,other,704,3761557250,9027 71168 10.1.0.1
return,success,0
header,114,2,munmap(2),,sol01,2010-09-26 10:13:35.372 +02:00
argument,1,0xfefb0000,addr
argument,2,0x8000,len
subject,test1,test1,other,test1,other,704,3761557250,9027 71168 10.1.0.1
return,success,0
header,139,2,open(2) - read,write,creat,trunc,,sol01,2010-09-26 10:13:35.386 +02:00
path,/export/home/test1/aa
attribute,100600,test1,other,7,5,0
subject,test1,test1,other,test1,other,704,3761557250,9027 71168 10.1.0.1
return,success,3
header,150,2,close(2),,sol01,2010-09-26 10:13:35.429 +02:00
argument,1,0x3,fd
path,/export/home/test1/aa
attribute,100600,test1,other,7,5,0
subject,test1,test1,other,test1,other,704,3761557250,9027 71168 10.1.0.1
return,success,0
...
As you can see clear here is executed command mkfile and created file, named aa in to the home directory of the user. Of course in above example I use only few of the features in the audit subsystem of Solaris, but in next article will try to present more in deep the options
No comments:
Post a Comment