RE: what to turn on for solaris auditing

[SimonChan () lifeisgreat com sg]

Hi Rip,

is there some sort of standards ( e.g. ISO/BS) where I can  translate into
BSM equivalent ?
e.g. we must turn on logging for all commands executed by root.

In a crunch, i'm interested to find out what flags to set in audit_control
and audit_user(root).
CIS/SANS has some recommendation for it. But is there an equivalent for ISO
e.g. we must audit
file modification ?


-----------------------------------------------------------------------------

"My statements in this message are personal opinions
which may have no basis whatsoever in fact."



                                                                                                                        
           
                    "Loomis, Rip"                                                                                       
           
                    <GILBERT.R.LOOMIS () saic com>           To:     firewall-wizards () honor icsalabs com             
                 
                    Sent by:                              cc:                                                           
           
                    firewall-wizards-admin () honor ic       Subject:     RE: [fw-wiz] what to turn on for solaris 
auditing           
                    salabs.com                                                                                          
           
                                                                                                                        
           
                                                                                                                        
           
                    04/17/2003 06:05 AM                                                                                 
           
                                                                                                                        
           
                                                                                                                        
           





> Part of OS hardening is the enabling of audit for Solaris. We
> have already run ASET and installed JASS.
> But have yet to identify what are the information to turn audit on.

Hmm.  The best pointer I have other than RTFM (specifically
"man bsmconv" and "man audit_control", or search for audit_control
on docs.sun.com) is
  http://www.securityfocus.com/infocus/1362
which was written by Darren Moffat of Sun.  It's not a cookbook
as you seem to be looking for, but it may help with some of
the principles.

> Is there any kind of check list perhaps based on BS7799 or
> best practises ?

"Best Practice" in this case would need to take into account the
very large trade-off between "log it all so it's available later"
and "the more logging, the more it affects system performance and
chews up disk space".  There is no one perfect answer that will
work on every system in every environment.  The configuration
that works for you should implement your security policy and
be requirements-based, as opposed to "hmm...this seems reasonable".
Since you're asking about BS7799/ISO 17799, I'm going to ass-u-me
that you do in fact have a policy.  In that case, you need to
go in and decide which granular events you need to audit in order
to have accountability/traceability for the actions that will
let you enforce your existing policy.  Easier said than done...

The file you're probably most concerned with is
/etc/security/audit_control.  Here's a config that seems to be
a good compromise and implements the requirements for one particular
server farm of which I'm aware:
=-=-=-=
# Minimal Auditing:
#flags:lo,ad,na,-nt
#
# Normal Auditing:
flags:-fr,-fw,-fa,-fc,-ot,-cl,fd,fm,lo,pc,nt,ad,ap,na
#
# Flags that are not audited at all above:  io,ip,no,ex (ex is a
#       subset of pc, so it's already covered)
#
# Audit non-attributable events:
naflags:lo,ad,nt,na
#
# audit_warn activates if less than 10% available on partition
minfree:10
dir:/u1/security/audit/myhost/files
#
# Second audit filesystem used when the first partition fills up
dir:/u2/security/audit/myhost/files
=-=-=-=
Note that there are some things in the above file that might
actually produce no logging--it's not obvious to me that logging
events of class "na" is really a useful selector.  However, it
should ideally ensure that all the required events for this system
are caught by default.  (In fact, so much is logged on the
server in question that it might almost be easier to turn on
auditing of "-all").

If you want to audit some users (or a class of users) differently
than others, then you'll need to also consider audit_user.  Then
there are the other files, and worrying about device allocation,
and making audit_warn useful, and actually doing the audit
reduction on the resulting data...

If there's one recommendation I have, it's that you set up a
test server with your desired auditing configuration, and then
put it under some load--or roll out your desired auditing configuration
on one of a cluster of servers with good monitoring.  A poorly
chosen auditing configuration can have a major impact on system
performance without really enhancing system security.

Good luck and hope this helps--
--
Rip Loomis
Senior Systems Security Engineer, SAIC Enterprise Security Solutions
Brainbench MVP for Internet Security  |  http://www.brainbench.com


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards




_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards