I thought I'd mention a new audit feature which is available in Solaris Express, and I haven't seen anyone else mention it, but it could be that most people aren't paranoid enough to be thrilled about this new feature.
Audit plugins
One of the issues with the audit trail, is that it is written to (locally accessible) disk, so if you get a root compromise you are toast! The intruder can just stop auditing and delete the audit trail, and you'll never figure out what happened.
My fellow paranoiacs can now rest a bit easier, you can use the new audit_syslog(5) plugin, which does realtime conversion of Solaris audit data to syslog messages. This means that you can send the audit trail to a remote system where the attacker can't get at them, at least not at once.
By adding the following line to your audit_control file, you will send all login/logout events and all failed file modifications:
plugin: name=audit_syslog.so;p_flags=lo,-fm
You have to configure your local syslogd to forward those log entries, with the facility code of LOG_AUDIT and severity of LOG_NOTICE, to your secure syslog server.
Note that since syslog messages have a max length of 1024 bytes, the log entries may be truncated. The audit_syslog plugin tries to retain as much information as possible, by truncating paths from left and other text from right.
Posted by Vlad Grama on August 26, 2004 at 03:55 AM PDT #
Hi Vlad!
Both your suggestions are good solutions to the problem, but as I run IPsec between my systems, I don't have to worry about the spoofing. The lost and truncated records is a bigger problem.
As you point out, what we need is a secure syslog demon.
cheers,
/Martin
Posted by Martin Englund on August 26, 2004 at 04:11 AM PDT #