Vulnerability Development mailing list archives
Re: Alternative to historyfile logging.
From: Darren.Moffat () UK SUN COM (Darren Moffat - Solaris Sustaining Engineering)
Date: Tue, 18 Apr 2000 09:49:33 +0100
Historyfiles aren't trustworthy, as we all know. Processaccounting and logging on the systemcall level is one way to remedy that, but it's not as "fancy" as having every commandline logged, including typos and all.
Solaris has BSM auditing which can audit every system call that is made, if you want to see what commands a user is running then do the following, this will include "failed" commands as they still result in an execve() call being made. Description ----------- Some sites require as part of their security policy to log all commands run by the super-user (root). To log to the audit trail all of the commands that the root user runs add the following line to /etc/security/audit_user on each machine: root:lo,ex: If you want to log all commands that all users run rather than listing each user by name then add `ex` to the flags: line of /etc/security/audit_control And example auditrecord would then be: header,103,2,execve(2),,Thu Jun 25 11:39:32 1998, + 52420844 msec path,/usr/bin/ls attribute,100555,bin,bin,8388608,0,0 subject,darrenm,root,other,root,other,8722,408,0 0 braveheart return,success,0 This shows that the user darrenm run /usr/bin/ls as root on the host braveheart at the given time. By default the arguments to commands are not shown in the audit trail if they are required then add the following line to /etc/security/audit_startup auditconfig -setpolicy +argv An example record with command arguments is: header,139,2,execve(2),,Thu Jun 25 11:44:52 1998, + 371098846 msec path,/usr/bin/vi attribute,100555,bin,bin,8388608,0,0 exec_args,2, vi,/etc/security/audit_control subject,darrenm,root,other,root,other,8740,408,0 0 braveheart return,success,0 Shows the user darrenm (as root) using vi to edit the audit_control file. If you want the environment as well add: auditconfig -setpolicy -arge The auditconfig commands take effect imediately but need to be placed in audit_startup so that they are re-applied after a system reboot. -- Darren J Moffat
Current thread:
- Re: Alternative to historyfile logging. Darren Moffat - Solaris Sustaining Engineering (Apr 18)