Firewall Wizards mailing list archives
RE: what to turn on for solaris auditing
From: SimonChan () lifeisgreat com sg
Date: Thu, 17 Apr 2003 10:40:32 +0800
Hi Rip, is there some sort of standards ( e.g. ISO/BS) where I can translate into BSM equivalent ? e.g. we must turn on logging for all commands executed by root. In a crunch, i'm interested to find out what flags to set in audit_control and audit_user(root). CIS/SANS has some recommendation for it. But is there an equivalent for ISO e.g. we must audit file modification ? ----------------------------------------------------------------------------- "My statements in this message are personal opinions which may have no basis whatsoever in fact." "Loomis, Rip" <GILBERT.R.LOOMIS () saic com> To: firewall-wizards () honor icsalabs com Sent by: cc: firewall-wizards-admin () honor ic Subject: RE: [fw-wiz] what to turn on for solaris auditing salabs.com 04/17/2003 06:05 AM
Part of OS hardening is the enabling of audit for Solaris. We have already run ASET and installed JASS. But have yet to identify what are the information to turn audit on.
Hmm. The best pointer I have other than RTFM (specifically "man bsmconv" and "man audit_control", or search for audit_control on docs.sun.com) is http://www.securityfocus.com/infocus/1362 which was written by Darren Moffat of Sun. It's not a cookbook as you seem to be looking for, but it may help with some of the principles.
Is there any kind of check list perhaps based on BS7799 or best practises ?
"Best Practice" in this case would need to take into account the very large trade-off between "log it all so it's available later" and "the more logging, the more it affects system performance and chews up disk space". There is no one perfect answer that will work on every system in every environment. The configuration that works for you should implement your security policy and be requirements-based, as opposed to "hmm...this seems reasonable". Since you're asking about BS7799/ISO 17799, I'm going to ass-u-me that you do in fact have a policy. In that case, you need to go in and decide which granular events you need to audit in order to have accountability/traceability for the actions that will let you enforce your existing policy. Easier said than done... The file you're probably most concerned with is /etc/security/audit_control. Here's a config that seems to be a good compromise and implements the requirements for one particular server farm of which I'm aware: =-=-=-= # Minimal Auditing: #flags:lo,ad,na,-nt # # Normal Auditing: flags:-fr,-fw,-fa,-fc,-ot,-cl,fd,fm,lo,pc,nt,ad,ap,na # # Flags that are not audited at all above: io,ip,no,ex (ex is a # subset of pc, so it's already covered) # # Audit non-attributable events: naflags:lo,ad,nt,na # # audit_warn activates if less than 10% available on partition minfree:10 dir:/u1/security/audit/myhost/files # # Second audit filesystem used when the first partition fills up dir:/u2/security/audit/myhost/files =-=-=-= Note that there are some things in the above file that might actually produce no logging--it's not obvious to me that logging events of class "na" is really a useful selector. However, it should ideally ensure that all the required events for this system are caught by default. (In fact, so much is logged on the server in question that it might almost be easier to turn on auditing of "-all"). If you want to audit some users (or a class of users) differently than others, then you'll need to also consider audit_user. Then there are the other files, and worrying about device allocation, and making audit_warn useful, and actually doing the audit reduction on the resulting data... If there's one recommendation I have, it's that you set up a test server with your desired auditing configuration, and then put it under some load--or roll out your desired auditing configuration on one of a cluster of servers with good monitoring. A poorly chosen auditing configuration can have a major impact on system performance without really enhancing system security. Good luck and hope this helps-- -- Rip Loomis Senior Systems Security Engineer, SAIC Enterprise Security Solutions Brainbench MVP for Internet Security | http://www.brainbench.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- what to turn on for solaris auditing SimonChan (Apr 10)
- <Possible follow-ups>
- RE: what to turn on for solaris auditing Loomis, Rip (Apr 16)
- RE: what to turn on for solaris auditing SimonChan (Apr 17)