Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Alternative to historyfile logging.

From: Darren.Moffat () UK SUN COM (Darren Moffat - Solaris Sustaining Engineering)
Date: Tue, 18 Apr 2000 09:49:33 +0100


Historyfiles aren't trustworthy, as we all know. Processaccounting and
logging on the systemcall level is one way to remedy that, but it's not
as "fancy" as having every commandline logged, including typos and all.


Solaris has BSM auditing which can audit every system call that is made,
if you want to see what commands a user is running then do the following,
this will include "failed" commands as they still result in an execve()
call being made.

Description
-----------
Some sites require as part of their security policy to log all
commands run by the super-user (root).

To log to the audit trail all of the commands that the root user runs
add the following line to /etc/security/audit_user on each machine:

        root:lo,ex:

If you want to log all commands that all users run rather than listing
each user by name then add `ex` to the flags: line of
/etc/security/audit_control

And example auditrecord would then be:

        header,103,2,execve(2),,Thu Jun 25 11:39:32 1998, + 52420844 msec
        path,/usr/bin/ls
        attribute,100555,bin,bin,8388608,0,0
        subject,darrenm,root,other,root,other,8722,408,0 0 braveheart
        return,success,0

This shows that the user darrenm run /usr/bin/ls as root on the
host braveheart at the given time.

By default the arguments to commands are not shown in the audit
trail if they are required then add the following line to
/etc/security/audit_startup

        auditconfig -setpolicy +argv

An example record with command arguments is:

        header,139,2,execve(2),,Thu Jun 25 11:44:52 1998, + 371098846 msec
        path,/usr/bin/vi
        attribute,100555,bin,bin,8388608,0,0
        exec_args,2,
        vi,/etc/security/audit_control
        subject,darrenm,root,other,root,other,8740,408,0 0 braveheart
        return,success,0

Shows the user darrenm (as root) using vi to edit the audit_control file.

If you want the environment as well add:

         auditconfig -setpolicy -arge

The auditconfig commands take effect imediately but need to
be placed in audit_startup so that they are re-applied after a
system reboot.


--
Darren J Moffat
Previous By Date Next
Previous By Thread Next

Current thread: