Configuration of BSM
Chris configured Solaris BSM audit logging on hosts k6, spurr, erebus,
kanab, tallac and rainier using the standard procedure.
First, run bsmconv, edit /etc/security/audit_control,
/etc/security/audit_user,dir:/var/audit flags:lo,+ex minfree:5 naflags:
Finally reboot.# # User Level Audit User File # # File Format # # username:always:never # root:lo,+ex:no
Status of audit logging
The auditconfig program provides all sorts of information
about the current state of logging. A perl wrapper around it helps
format the most useful information.
The script builds a small database of event names, ids, descriptions and class types. Then it uses Òauditconfig -getpinfo $$Ó to determine the pre-selection mask of the current process. Finally, it prints out the events that are members of the classes being logged.
what_event are being logged?
#!/usr/local/bin/perl
# Christopher Wee, wee@cs.ucdavis.edu
# $Id$
#
# build a class to event mapping
#
@lines = `/usr/sbin/auditconfig -lsevent`;
my $event_id;
foreach (@lines) {
chop;
($eventname, $event_id, $classes, $description) = split(" ",$_,4);
$desc{$eventname} = $description;
foreach $class (split ',',$classes) {
push(@{$ev_by_class{$class}}, $eventname);
push(@{$ev_by_class{'+'.$class}}, $eventname.' success');
push(@{$ev_by_class{'-'.$class}}, $eventname.' failed');
}
}
#
# learn about the audit state of this process
#
$_ = `/usr/sbin/auditconfig -getpinfo $$`;
/mask = (.+)\(/;
@mask = split(",",$1);
#
# print out each class, and the audit events within that class
#
foreach $_ (@mask) {
($class) = /(..)$/;
print "$_:\n";
foreach $ev (@{$ev_by_class{$class}}) {
print " $ev\t$desc{$ev}\n";
}
}
1;
When run, the script outputs:
# what_events_are_audited +ex: AUE_EXEC exec(2) AUE_EXECVE execve(2) lo: AUE_login login - local AUE_logout logout AUE_telnet login - telnet AUE_rlogin login - rlogin AUE_rshd rsh access AUE_su su AUE_rexecd rexecd AUE_passwd passwd AUE_rexd rexd AUE_ftpd ftp access
All users are logged, including root. Only successful execv(2) system calls and login/logouts are logged.
The binary formatted audit log (usually stored in /var/audit) are translated to ascii using his own version of the praudit program. Chris' praudit adds blank lines between each event. A sample of the log is available.
Analyzing BSM audit logs
A perl script, reduce.pl parses
the log and tablulates the entries according to the user name and
effect user uid.
The output of reduce.pl sample.bsm.log.from.kanab is shown.
%A% User commands from Tue Nov 11 16:39 to Tue Nov 11 16:43:34 Page 1 login eff.user host command count root root kanab /usr/bin/chmod 1 root root kanab /usr/bin/sh 1 rowe rowe kanab /usr/bin/clear 23 rowe rowe kanab /usr/bin/date 5 rowe rowe kanab /usr/bin/tput 23 wee root kanab /home/wee/bin.sun4-solaris/praudit 4 wee root kanab /pkg/fileutils/sparc-sun-solaris2/bin/rm 4 wee root kanab /pkg/mh/sparc-sun-solaris2/bin/show 1 wee root kanab /usr/bin/col 2 wee root kanab /usr/bin/ls 3 wee root kanab /usr/bin/man 2 wee root kanab /usr/bin/more 2 wee root kanab /usr/bin/mv 2 wee root kanab /usr/bin/nroff 2 wee root kanab /usr/bin/sh 6 wee root kanab /usr/bin/showrev 1 wee root kanab /usr/local/bin/man 2 wee root kanab /usr/sbin/audit 1 wee root kanab /usr/sbin/auditconfig 1 wee root kanab /usr/sbin/praudit 1BSM records the audit user id, real and effective user ids. For each exec full pathnames, disk device numbers and i-node numbers are recorded.
Check the sizes of active BSM audit logs on several hosts.
Compressability of the audit logs
Filename uncompressed compressed reduction -------- ------------ ---------- -------- 19971111011254.19971113222607.erebus 2,561,186 316,917 12.4% 8-fold (approx 2 days worth) 19971112004333.19971113012941.kanab 2,671,975 286,899 10.7%, 10-fold 19970820004403.19971113005718.tallac 15,972,361 1,263,572 7%, 12-fold Other profiling efforts
Steven and Scott are also performing other types of logging.