I created a new plugin for the Audit Viewer which sorts the audit trail into users and their sessions. This will help you to dig through the data, and follow a single user seesion much more easily than you can by looking at the chronological view.

Here is a new snapshot of the "session view":

One thing that isn't showing on the image are the tooltips[1], which gives you additional information. In this case the session folders show the timestamp of first and last audit record in that session, while the individual audit records show the timestamp of that record.

---

[1] tooltip, a.k.a. baloon help. Text that shows up under the cursor when you position it over something.

I spent the weekend rewriting the AuditViewer so I won't have to be ashamed of it, if I release it.

The basic mode of operation is to load an XML file (from "praudit -x"), and then scroll through the list of cronological audit records. Click on any record to get a detailed view of all the audit tokens of that record.

There is still a lot to be done. The cronological list needs to be filled with better information, the search function needs to me implemented, tooltips have to be added to describe the different fields.

If you have strong oppinions on what should be shown, feel free to speak up!

Here is an image, so you can get a feel for how it will look:

A few more days and I should have the basic things straightened out...

The possibility to dump the audit trail in XML seemed new to a lot of people, so I thought that I'd include an example of it too.

Here is an audit record from a failed file read ("-fr" for those of you who know the audit classes and flag syntax). The XML output is actually a lot easier to read when you don't know the audit tokens by heart.

<record version="2" event="open(2) - read" modifier="fe" host="airlock"
  iso8601="2004-08-27 07:36:40.199 +02:00">
<path>/etc/shadow</path>
<attribute mode="100400" uid="root" gid="sys" fsid="22282241" nodeid="49758"
  device="0"/>
<subject audit-uid="martin" uid="local" gid="local" ruid="local" rgid="local"
  pid="28164" sid="9004" tid="0 0 192.176.15.118"/>
<use_of_privilege result="failed use of priv">file_dac_read</use_of_privilege>
<return errval="failure: Permission denied" retval="-1"/>
</record>

And it gets even better. If you dump the audit trail to XML, you can open it in your prefered XML enabled browser, Firefox in my case, and get an almost comprehensible output.

An interesting thing to note: there is a new audit token, called "use of privilege", which tells you that this operation (file open) failed due to lack of the privilege file_dac_read. I.e. the file wasn't readable by the user "local", but if he would have had the file_dac_read privilege, he would have been allowed to override the permissions.

Here is a rerun of the command, but after granting the "local" user the file_dac_read privilege:

<record version="2" event="open(2) - read" modifier="" host="airlock"
  iso8601="2004-08-27 07:56:02.858 +02:00">
<path>/etc/shadow</path>
<attribute mode="100400" uid="root" gid="sys" fsid="22282241" nodeid="49758"
  device="0"/>
<subject audit-uid="me23304" uid="local" gid="local" ruid="local" rgid="local"
  pid="28190" sid="3311039004" tid="0 0 192.176.15.118"/>
<use_of_privilege result="successful use of priv">file_dac_read</use_of_privileg
e>
<return errval="success" retval="3"/>
</record>

And as you can see, the open(2) now succeeds, even though the file permission of /etc/shadow is 600 (rw-------)

If you want to read more about Solaris privileges, I recommend that you take a look at Casper Dik's blog.

Damn! I'll miss this evening's wine tasting session of Austrian white wines.

We unexpectedly had a friend who is staying at our place tonight, and we're heading out for dinner at Fyra Knop, so I'll have to forfeit my seat at the session.

I'm not that bummed out, the food is excellent, and I guess that we can open a bottle of Penfold's Bin 389 when we get back from dinner, to still my cravings.

I thought I'd mention a new audit feature which is available in Solaris Express, and I haven't seen anyone else mention it, but it could be that most people aren't paranoid enough to be thrilled about this new feature.

Audit plugins

One of the issues with the audit trail, is that it is written to (locally accessible) disk, so if you get a root compromise you are toast! The intruder can just stop auditing and delete the audit trail, and you'll never figure out what happened.

My fellow paranoiacs can now rest a bit easier, you can use the new audit_syslog(5) plugin, which does realtime conversion of Solaris audit data to syslog messages. This means that you can send the audit trail to a remote system where the attacker can't get at them, at least not at once.

By adding the following line to your audit_control file, you will send all login/logout events and all failed file modifications:

plugin: name=audit_syslog.so;p_flags=lo,-fm

You have to configure your local syslogd to forward those log entries, with the facility code of LOG_AUDIT and severity of LOG_NOTICE, to your secure syslog server.

Note that since syslog messages have a max length of 1024 bytes, the log entries may be truncated. The audit_syslog plugin tries to retain as much information as possible, by truncating paths from left and other text from right.

I'm done for today! No more fiddling with the theme, but there are a number of things that needs to be fixed:

• Entry header
  The header needs to have a bit more space at the top and bottom so that it doesn't get too close to the surroundings.
• Fonts
  I'm not that happy with the fonts at the moment. That needs fixing.
• The calendar
  Looks like a mess
• The style sheet
  Needs to be cleaned up

Time to get some real work done!

After a couple of tries my new theme is starting to take form. I stole the general idea from Chandan, but make it into my own by using a slightly different layout.

There is still much to be done, but I'm slowly getting there!

One of the things I spend my days at Sun with, is to work on the use of Solaris Auditing within Sun IT. It is a under-used feature of Solaris, which can be of great help when you need to track the actions performed by a user.

One needs to be careful though. You can easily generate several MB of audit trail per minute on a heavily used system, e.g. a SunRay server. The guidelines in the Auditing in the Solaris 8 Operating Environment BluePrint is a good place to start.

To protect yourself from filling up /var/audit use logadm to monitor and trim the audit files.

Tracking user activity

I usually add a third custom audit class in /etc/security/audit_class which help tracking users:

0x04000000:ct:custom tracing audit events

Then I add ct to the following audit events:

# grep ,ct /etc/security/audit_event
23:AUE_EXECVE:execve(2):ps,ex,ct
32:AUE_CONNECT:connect(2):nt,ct
33:AUE_ACCEPT:accept(2):nt,ct

Now I can start to look for fishy stuff, e.g. if I want to find out when/if the user martin has been using vi as root, I'd run the following command:

# auditreduce -N -c ex -r me23304 \
  -e root 20040429113732.20040823093204.airlock | praudit
header,149,2,execve(2),,airlock,2004-03-10 17:05:57.059 +01:00
path,/usr/bin/vi
attribute,100555,root,bin,22282241,249,0
exec_args,2,
vi,/etc/security/audit_control
subject,martin,root,other,root,other,6152,5167,0 0 ebola
return,success,0
[lots of other audit records deleted]

Fishy indeed. martin seems to have been editing the audit_control file!

Decoding the audit record

For those who are unfamiliaar with audit records, here is a quick decoding of the audit tokens (from top to bottom) that make up the above audit record, we have:

header,149,2,execve(2),,airlock,2004-03-10 17:05:57.059 +01:00

The header token, which inticates what type of event this is, on which system it occured and when.

path,/usr/bin/vi

The path toke, which in this case indicate which program that got execve()ed

attribute,100555,root,bin,22282241,249,0

The attribute token, which shows the file mode, owner, group, filesystem id, node id and device.

exec_args,2,
vi,/etc/security/audit_control

subject,martin,root,other,root,other,6152,5167,0 0 ebola

The subject token, showing the audit id, euid, egid, ruid, rgid, pid, session id and terminal id, which is made up of the port id and the system.

return,success,0

The return token, indicating the status of the execve()

If you want to dig deeper, I highly reccomend the Audit Token Format manual page.

XML output

With patch 114332 for Solaris 9, you get the possibility to generate XML output from praudit command. This means that you easily can parse the audit log in Java.

I have put together a quick proof of concept audit log viewer in Java, reading the reslting XML file. It was a big improvment over reading the text version of the logs as I usually do.

If I ever get enough time to spare, I'll try to take the Java log viewer past proof of concept.

I'm sorry, Mama. I never meant to hurt you. I never meant to make you cry, but tonight I'm cleanin' out my closet.

As I'm working from home most 99% of the time, I have a small lab in a closet. I've finally cleaned it up yesterday evening!

It is amazing how much (computer) junk ones collects. I filled one box with broken stuff that I never got around to throw away, and one box of stuff of outdated stuff that just collected dust. I'll bring that box by the office, and let the vultures tear up the carcases.

I'm not sure if all of it will find new owners. E.g. how many people needs:

• A 8 MB DIMM for a SPARC Station 4/SPARC Station 5
• A 104 MB 3600 RPM Single Ended SCSI disk
• A 4x SCSI CD player

but I know at least one at the office guy who have unlimited storage space for things like this, and wouldn't think twice before grabbing it.

I also made a neat pile of old PC junk. Anyone interested in an ISA NIC (3Com 3C509TP)?

Sometime next week I'll head to the office and clean up my lab rack. I just dont have patience to use a bunch of old SPARC Station 20s any more, and besides, I can't run Solaris 10 on them.

I just saw The Punisher and compared to the Comic books it was decent, especially when if you have seen the old one.

Being an avid comic book reader, there has been a lot of new movies lately. I guess that they couldn't make them good enough without computer graphics.

In case you're in Stockholm and are looking for a good place to buy comics, go to Comics Heaven and talk to Kåge. He knows everything there is to know about comics.

My personal recommendations are Hellblazer and Lucifer. Both are very dark and omnious, but reflects the world around us quite well - I'm afraid.

It is 15 minutes to midnight, so I'd better hit the sack if I should be able to get up at 0600 to head out for my morning run...

I spent yesterday evening trying to put together a PC for my parents, from a couple of old and unused PCs I have in my study. This only resulted in frustration and a couple of Mojitos to calm my nerves.

Something as simple as moving one motherboard from one system to another can cause grief beyond imagination. I thought I'd take the newest motherboard and put it an a mini tower, as it was located in a box which could easily be mistaken for a fridge.

Having been told off by numberous hardware engineers, I decided to be a good boy and use my anti-static mat and hooked it up to the 'puters, slaughtered the fridge and put the montherboard and gfx card in the mini tower. Lo and behold, powering on the power resulted in nothing.

Two hours of trouble shooting, and I now can get it to boot 50% of the time.

If you too get stuck while playing hardware engineer, I suggest a Mojito or two

Ingredients:

• 2-3 oz light rum
• juice of one lime
• 2 tsp sugar
• 2-4 mint sprigs
• soda water

Instructions:

Lightly muddle the mint and sugar with a splash of soda water in a mixing glass until the sugar dissolve and you smell the mint. Squeeze the lime into the glass, add rum and shake with ice. Strain over cracked ice in a highball glass. Top with soda water, garnish with mint sprig.

Drink at once and feel the pain go away...

People have requested that I post some pictures of our building and Stockholm.

Here is the view from our living room, in the spring when the cherry trees blossom in the park below:

And here is an airial photo of the building (and the central part of Stockholm). All but the building is dimmed, but if you click on it you'll get a larger image without the dimming.

My three week vacation is over

The weather has been really lousy! It rained all days but one, so I spent most of the time indoors and read a lot. The pile of books beside my bed is only 30 cm now (about 1 ft for you metric challenged people).

I'm not that upset about the weather, as this wasn't the real vacation this year. In December we're heading down under to visit some friends in Melbourne, Sydney, New Castle and Brisbane. We'll get plenty of sun then!

The only sad thing is that Danny (who lives in Brisbane) have had better weather during their winter, than we have had during our summer. Can someone remind me why I live in Sweden? I must have forgotten.

Time to get some work done...