Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> General >> Sun Alert and Security Discussion

information on accounting

Hello,

Thinking to migrate to TS, I have a few questions about accounting on this system.

On Solaris 8, accounting only logs commands, and not their parameters.

For exemple,

<div class="pre"><pre>

$> rm -rf /

</pre></div>

would only be logged as

<div class="pre"><pre>

rm <login><tty> 0.01 secs Fri Dec 2 15:00

</pre></div>

Does acct on TS 8 is more powerful, and logs more than just the command name ?

Is it the same on TS 10 ?

Also, I developped kind of a graphical interface over acct, entrant connection daemons, sudo, ... and other security logs.

Is there the same kind of graphical interface in TS, or do we only have the logs as unbearable textual files ?

And if he answer is yes, could you tell me what kind of security tool it is capable to manage ?

Of course, if you don't have the direct answer to myquestions, but have links that may be answering them, I'll be very glad !

Thanks in advance,

Fabrice

[1101 byte] By [fabrice] at [2007-11-25 23:04:34]
«« Migrate to Trusted Solaris
»» pgrep/pkill not finding processes
# 1
If you are talking about the audit logs, you can add argv to one of the audit config files (audit_startup I believe - Im not at my TSOL box right now) and that will show the command line arguments (like the "-rf /" in your example) in the audit logs.
JasonBufford at 2007-7-5 17:56:10 > top of Java-index,General,Sun Alert and Security Discussion...
# 2
Thanks for this answer, which fits perfectly !
fabrice at 2007-7-5 17:56:10 > top of Java-index,General,Sun Alert and Security Discussion...
# 3

<table border="0" align="center" width="90%" cellpadding="3" cellspacing="1"><tr><td class="SmallText"><b>Jason Bufford wrote on Sun, 04 December 2005 08:31</b></td></tr><tr><td class="quote">

If you are talking about the audit logs, you can add argv to one of the audit config files (audit_startup I believe - Im not at my TSOL box right now) and that will show the command line arguments (like the "-rf /" in your example) in the audit logs.

</td></tr></table>

Hello,

Do you know if this possibility is also available in vanilla solaris ? If yes, could you give me some clues about the files to be modified to add argv to acct (you talked about "audit_startup", but I could not find what to do with that).

Thanks in advance,

Fabrice

fabrice at 2007-7-5 17:56:10 > top of Java-index,General,Sun Alert and Security Discussion...
# 4

I believe it may be available in vanilla Solaris with BSM installed and configured.

In TSOL, the file is /etc/security/audit_startup

and you will want to change the line that looks like this:

/usr/sbin/auditconfig -setpolicy +slabel

to this:

/usr/sbin/auditconfig -setpolicy +slabel,argv

Reboot and your new audit logs should now include the arguments (like "-rf /") in them.

JasonBufford at 2007-7-5 17:56:10 > top of Java-index,General,Sun Alert and Security Discussion...
# 5
Thanks a lot for this information.
fabrice at 2007-7-5 17:56:10 > top of Java-index,General,Sun Alert and Security Discussion...
General
Sun Alert and Security Discussion

General New Topic

General Hot Topic

General

All Classified