One of the things I spend my days at Sun with, is to work on the use of Solaris Auditing within Sun IT. It is a under-used feature of Solaris, which can be of great help when you need to track the actions performed by a user.
One needs to be careful though. You can easily generate several MB of audit trail per minute on a heavily used system, e.g. a SunRay server. The guidelines in the Auditing in the Solaris 8 Operating Environment BluePrint is a good place to start.
To protect yourself from filling up /var/audit use logadm to monitor and trim the audit files.
Tracking user activity
I usually add a third custom audit class in /etc/security/audit_class which help tracking users:
0x04000000:ct:custom tracing audit events
Then I add ct to the following audit events:
# grep ,ct /etc/security/audit_event 23:AUE_EXECVE:execve(2):ps,ex,ct 32:AUE_CONNECT:connect(2):nt,ct 33:AUE_ACCEPT:accept(2):nt,ct
Now I can start to look for fishy stuff, e.g. if I want to find out when/if the user martin has been using vi as root, I'd run the following command:
# auditreduce -N -c ex -r me23304 \ -e root 20040429113732.20040823093204.airlock | praudit header,149,2,execve(2),,airlock,2004-03-10 17:05:57.059 +01:00 path,/usr/bin/vi attribute,100555,root,bin,22282241,249,0 exec_args,2, vi,/etc/security/audit_control subject,martin,root,other,root,other,6152,5167,0 0 ebola return,success,0 [lots of other audit records deleted]Fishy indeed.
martin seems to have been editing the audit_control file!
Decoding the audit record
For those who are unfamiliaar with audit records, here is a quick decoding of the audit tokens (from top to bottom) that make up the above audit record, we have:
header,149,2,execve(2),,airlock,2004-03-10 17:05:57.059 +01:00The header token, which inticates what type of event this is, on which system it occured and when.
path,/usr/bin/viThe path toke, which in this case indicate which program that got execve()ed
attribute,100555,root,bin,22282241,249,0The attribute token, which shows the file mode, owner, group, filesystem id, node id and device.
exec_args,2, vi,/etc/security/audit_control
subject,martin,root,other,root,other,6152,5167,0 0 ebolaThe subject token, showing the audit id, euid, egid, ruid, rgid, pid, session id and terminal id, which is made up of the port id and the system.
return,success,0The return token, indicating the status of the execve()
If you want to dig deeper, I highly reccomend the Audit Token Format manual page.
XML output
With patch 114332 for Solaris 9, you get the possibility to generate XML output from praudit command. This means that you easily can parse the audit log in Java.
I have put together a quick proof of concept audit log viewer in Java, reading the reslting XML file. It was a big improvment over reading the text version of the logs as I usually do.
If I ever get enough time to spare, I'll try to take the Java log viewer past proof of concept.
As a general comment on BSM auditing: I think it's a very useful feature (and under-used too as you mentionded). I also think however the logs should be easier to read/parse. More examples in the documentation would be helpful too. Maybe with XML output things will get easier
Thank you
Posted by Vlad Grama on August 26, 2004 at 04:04 AM PDT #