hit counter
   
 

Random ramblings of a paranoid git
"The question is not if you are paranoid, it is if you are paranoid enough."


All | Security | Work | Wine & Dine | Leisure

   
« Previous day (Aug 26, 2004) | Main | Next day (Aug 28, 2004) »
   
20040827 Friday August 27, 2004
XML audit trail
Permalink | | 2004-08-27 00:05

The possibility to dump the audit trail in XML seemed new to a lot of people, so I thought that I'd include an example of it too.

Here is an audit record from a failed file read ("-fr" for those of you who know the audit classes and flag syntax). The XML output is actually a lot easier to read when you don't know the audit tokens by heart.

<record version="2" event="open(2) - read" modifier="fe" host="airlock"
  iso8601="2004-08-27 07:36:40.199 +02:00">
<path>/etc/shadow</path>
<attribute mode="100400" uid="root" gid="sys" fsid="22282241" nodeid="49758"
  device="0"/>
<subject audit-uid="martin" uid="local" gid="local" ruid="local" rgid="local"
  pid="28164" sid="9004" tid="0 0 192.176.15.118"/>
<use_of_privilege result="failed use of priv">file_dac_read</use_of_privilege>
<return errval="failure: Permission denied" retval="-1"/>
</record>

And it gets even better. If you dump the audit trail to XML, you can open it in your prefered XML enabled browser, Firefox in my case, and get an almost comprehensible output.

An interesting thing to note: there is a new audit token, called "use of privilege", which tells you that this operation (file open) failed due to lack of the privilege file_dac_read. I.e. the file wasn't readable by the user "local", but if he would have had the file_dac_read privilege, he would have been allowed to override the permissions.

Here is a rerun of the command, but after granting the "local" user the file_dac_read privilege:

<record version="2" event="open(2) - read" modifier="" host="airlock"
  iso8601="2004-08-27 07:56:02.858 +02:00">
<path>/etc/shadow</path>
<attribute mode="100400" uid="root" gid="sys" fsid="22282241" nodeid="49758"
  device="0"/>
<subject audit-uid="me23304" uid="local" gid="local" ruid="local" rgid="local"
  pid="28190" sid="3311039004" tid="0 0 192.176.15.118"/>
<use_of_privilege result="successful use of priv">file_dac_read</use_of_privileg
e>
<return errval="success" retval="3"/>
</record>

And as you can see, the open(2) now succeeds, even though the file permission of /etc/shadow is 600 (rw-------)

If you want to read more about Solaris privileges, I recommend that you take a look at Casper Dik's blog.
   
 
   
XML
« August 2004 »
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today

Old entries

Bloggtoppen.se
OpenSolaris: Love at First Boot