One of the things I spend my days at Sun with, is to work on the use of Solaris Auditing within Sun IT. It is a under-used feature of Solaris, which can be of great help when you need to track the actions performed by a user.

One needs to be careful though. You can easily generate several MB of audit trail per minute on a heavily used system, e.g. a SunRay server. The guidelines in the Auditing in the Solaris 8 Operating Environment BluePrint is a good place to start.

To protect yourself from filling up /var/audit use logadm to monitor and trim the audit files.

Tracking user activity

I usually add a third custom audit class in /etc/security/audit_class which help tracking users:

0x04000000:ct:custom tracing audit events

Then I add ct to the following audit events:

# grep ,ct /etc/security/audit_event
23:AUE_EXECVE:execve(2):ps,ex,ct
32:AUE_CONNECT:connect(2):nt,ct
33:AUE_ACCEPT:accept(2):nt,ct

Now I can start to look for fishy stuff, e.g. if I want to find out when/if the user martin has been using vi as root, I'd run the following command:

# auditreduce -N -c ex -r me23304 \
  -e root 20040429113732.20040823093204.airlock | praudit
header,149,2,execve(2),,airlock,2004-03-10 17:05:57.059 +01:00
path,/usr/bin/vi
attribute,100555,root,bin,22282241,249,0
exec_args,2,
vi,/etc/security/audit_control
subject,martin,root,other,root,other,6152,5167,0 0 ebola
return,success,0
[lots of other audit records deleted]

Fishy indeed. martin seems to have been editing the audit_control file!

Decoding the audit record

For those who are unfamiliaar with audit records, here is a quick decoding of the audit tokens (from top to bottom) that make up the above audit record, we have:

header,149,2,execve(2),,airlock,2004-03-10 17:05:57.059 +01:00

The header token, which inticates what type of event this is, on which system it occured and when.

path,/usr/bin/vi

The path toke, which in this case indicate which program that got execve()ed

attribute,100555,root,bin,22282241,249,0

The attribute token, which shows the file mode, owner, group, filesystem id, node id and device.

exec_args,2,
vi,/etc/security/audit_control

subject,martin,root,other,root,other,6152,5167,0 0 ebola

The subject token, showing the audit id, euid, egid, ruid, rgid, pid, session id and terminal id, which is made up of the port id and the system.

return,success,0

The return token, indicating the status of the execve()

If you want to dig deeper, I highly reccomend the Audit Token Format manual page.

XML output

With patch 114332 for Solaris 9, you get the possibility to generate XML output from praudit command. This means that you easily can parse the audit log in Java.

I have put together a quick proof of concept audit log viewer in Java, reading the reslting XML file. It was a big improvment over reading the text version of the logs as I usually do.

If I ever get enough time to spare, I'll try to take the Java log viewer past proof of concept.

I'm sorry, Mama. I never meant to hurt you. I never meant to make you cry, but tonight I'm cleanin' out my closet.

As I'm working from home most 99% of the time, I have a small lab in a closet. I've finally cleaned it up yesterday evening!

It is amazing how much (computer) junk ones collects. I filled one box with broken stuff that I never got around to throw away, and one box of stuff of outdated stuff that just collected dust. I'll bring that box by the office, and let the vultures tear up the carcases.

I'm not sure if all of it will find new owners. E.g. how many people needs:

• A 8 MB DIMM for a SPARC Station 4/SPARC Station 5
• A 104 MB 3600 RPM Single Ended SCSI disk
• A 4x SCSI CD player

but I know at least one at the office guy who have unlimited storage space for things like this, and wouldn't think twice before grabbing it.

I also made a neat pile of old PC junk. Anyone interested in an ISA NIC (3Com 3C509TP)?

Sometime next week I'll head to the office and clean up my lab rack. I just dont have patience to use a bunch of old SPARC Station 20s any more, and besides, I can't run Solaris 10 on them.