hit counter
   
 

Random ramblings of a paranoid git
"The question is not if you are paranoid, it is if you are paranoid enough."


All | Security | Work | Wine & Dine | Leisure

   
« Previous day (Aug 25, 2004) | Main | Next day (Aug 27, 2004) »
   
20040826 Thursday August 26, 2004
Austrian whites
Permalink | Comments [1] | 2004-08-26 03:54

Damn! I'll miss this evening's wine tasting session of Austrian white wines.

We unexpectedly had a friend who is staying at our place tonight, and we're heading out for dinner at Fyra Knop, so I'll have to forfeit my seat at the session.

I'm not that bummed out, the food is excellent, and I guess that we can open a bottle of Penfold's Bin 389 when we get back from dinner, to still my cravings.
A new Solaris auditing feature
Permalink | Comments [2] | 2004-08-26 03:22

I thought I'd mention a new audit feature which is available in Solaris Express, and I haven't seen anyone else mention it, but it could be that most people aren't paranoid enough to be thrilled about this new feature.

Audit plugins

One of the issues with the audit trail, is that it is written to (locally accessible) disk, so if you get a root compromise you are toast! The intruder can just stop auditing and delete the audit trail, and you'll never figure out what happened.

My fellow paranoiacs can now rest a bit easier, you can use the new audit_syslog(5) plugin, which does realtime conversion of Solaris audit data to syslog messages. This means that you can send the audit trail to a remote system where the attacker can't get at them, at least not at once.

By adding the following line to your audit_control file, you will send all login/logout events and all failed file modifications: 

plugin: name=audit_syslog.so;p_flags=lo,-fm

You have to configure your local syslogd to forward those log entries, with the facility code of LOG_AUDIT and severity of LOG_NOTICE, to your secure syslog server.

Note that since syslog messages have a max length of 1024 bytes, the log entries may be truncated. The audit_syslog plugin tries to retain as much information as possible, by truncating paths from left and other text from right.
   
 
   
XML
« August 2004 »
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today

Old entries

Bloggtoppen.se
OpenSolaris: Love at First Boot