Monitoring user commands using BSM audit logs

    Christopher Wee

    Configuration of BSM
    Chris configured Solaris BSM audit logging on hosts k6, spurr, erebus, kanab, tallac and rainier using the standard procedure.

    First, run bsmconv, edit /etc/security/audit_control,

    dir:/var/audit
    flags:lo,+ex
    minfree:5
    naflags:
    
    /etc/security/audit_user,
    #
    # User Level Audit User File
    #
    # File Format
    #
    #	username:always:never
    #
    root:lo,+ex:no
    
    Finally reboot.

    Status of audit logging
    The auditconfig program provides all sorts of information about the current state of logging. A perl wrapper around it helps format the most useful information.

    The script builds a small database of event names, ids, descriptions and class types. Then it uses Òauditconfig -getpinfo $$Ó to determine the pre-selection mask of the current process. Finally, it prints out the events that are members of the classes being logged.

    what_event are being logged?

    #!/usr/local/bin/perl
    # Christopher Wee, wee@cs.ucdavis.edu
    # $Id$
    
    #
    # build a class to event mapping
    #
    @lines = `/usr/sbin/auditconfig -lsevent`;
    my $event_id;
    foreach (@lines) {
      chop;
      ($eventname, $event_id, $classes, $description) = split(" ",$_,4);
      $desc{$eventname} = $description;
      foreach $class (split ',',$classes) {
        push(@{$ev_by_class{$class}}, $eventname);
        push(@{$ev_by_class{'+'.$class}}, $eventname.' success');
        push(@{$ev_by_class{'-'.$class}}, $eventname.' failed');
      }
    }
    
    #
    # learn about the audit state of this process
    #
    $_ = `/usr/sbin/auditconfig -getpinfo $$`;
    /mask = (.+)\(/;
    @mask = split(",",$1);
    
    #
    # print out each class, and the audit events within that class
    #
    foreach $_ (@mask) {
      ($class) = /(..)$/;
      print "$_:\n";
      foreach $ev (@{$ev_by_class{$class}}) {
        print "  $ev\t$desc{$ev}\n";
      } 
    }
    
    1;
    

    When run, the script outputs:

    # what_events_are_audited
    +ex:
      AUE_EXEC      exec(2)
      AUE_EXECVE    execve(2)
    lo:
      AUE_login     login - local
      AUE_logout    logout
      AUE_telnet    login - telnet
      AUE_rlogin    login - rlogin
      AUE_rshd      rsh access
      AUE_su        su
      AUE_rexecd    rexecd
      AUE_passwd    passwd
      AUE_rexd      rexd
      AUE_ftpd      ftp access
    

    All users are logged, including root. Only successful execv(2) system calls and login/logouts are logged.

    The binary formatted audit log (usually stored in /var/audit) are translated to ascii using his own version of the praudit program. Chris' praudit adds blank lines between each event. A sample of the log is available.

    Analyzing BSM audit logs
    A perl script, reduce.pl parses the log and tablulates the entries according to the user name and effect user uid.

    The output of reduce.pl sample.bsm.log.from.kanab is shown.

    %A% User commands from Tue Nov 11 16:39 to Tue Nov 11 16:43:34	Page   1
    login    eff.user host     command                                         count
    root     root     kanab    /usr/bin/chmod                                    1
    root     root     kanab    /usr/bin/sh                                       1
    rowe     rowe     kanab    /usr/bin/clear                                   23
    rowe     rowe     kanab    /usr/bin/date                                     5
    rowe     rowe     kanab    /usr/bin/tput                                    23
    wee      root     kanab    /home/wee/bin.sun4-solaris/praudit                4
    wee      root     kanab    /pkg/fileutils/sparc-sun-solaris2/bin/rm          4
    wee      root     kanab    /pkg/mh/sparc-sun-solaris2/bin/show               1
    wee      root     kanab    /usr/bin/col                                      2
    wee      root     kanab    /usr/bin/ls                                       3
    wee      root     kanab    /usr/bin/man                                      2
    wee      root     kanab    /usr/bin/more                                     2
    wee      root     kanab    /usr/bin/mv                                       2
    wee      root     kanab    /usr/bin/nroff                                    2
    wee      root     kanab    /usr/bin/sh                                       6
    wee      root     kanab    /usr/bin/showrev                                  1
    wee      root     kanab    /usr/local/bin/man                                2
    wee      root     kanab    /usr/sbin/audit                                   1
    wee      root     kanab    /usr/sbin/auditconfig                             1
    wee      root     kanab    /usr/sbin/praudit                                 1
    
    BSM records the audit user id, real and effective user ids. For each exec full pathnames, disk device numbers and i-node numbers are recorded.

    Check the sizes of active BSM audit logs on several hosts.

    Compressability of the audit logs

    Filename				uncompressed	compressed	reduction
    --------				------------	----------	--------
    19971111011254.19971113222607.erebus	2,561,186	316,917		12.4% 8-fold
     (approx 2 days worth)
    19971112004333.19971113012941.kanab	2,671,975	286,899		10.7%, 10-fold
    19970820004403.19971113005718.tallac	15,972,361	1,263,572	7%, 12-fold
    
    Other profiling efforts
    
    Steven and Scott are also performing other types of logging.
    • Unix process accounting logs Steven Templeton
    • NT 4.0 audit logsScott Miller