Solaris Auditing Overview

by Russ Rogers - 11/18/99

The UNIX world takes a beating when it comes to security. NT System Administrators claim that it's too open and provides too many opportunities for exploitation. UNIX *IS* open, it was meant to be open. The operating system was built on the premise of exchanging information, whereas Windows was built, initially, as a stand alone business solution. UNIX has also been around for decades longer than Windows, so it's had more time to be scrutinized and abused.

Solaris is Sun Microsystems's addition to the UNIX world. Solaris is heavily used and provides excellent networking solutions for both the private sector and the government sector. One of the tools that Sun uses to help you keep your box "under tabs" is the Basic Security Module (BSM).

BSM is the auditing tool used by the Solaris operating system. It is highly configurable and meets C2 compliance for auditing. The BSM files are located in the /etc/security directory. The first file you will want to look at is the audit_control file. This is where you, as the system administrator, define what events are audited on your machine.

Here is a sample audit_control file:

# more /etc/security/audit_control
dir: /var/audit
flags: pc,ad,ex
minfree:
naflags: lo

The first entry specifies WHERE you want your audit logs written. Take note that this logs ARE NOT in ascii format. There is a program under Solaris, called praudit, that allows you to parse out the binary audit logs.

The second entry specifies WHAT events you want audited. There are a lot of flags that can be turned on or off. Here is a listing of the flags:

no      =       no_class
fr      =       file_read
fw      =       file_write
fa      =       file_attr_acc
fm      =       file_attr_mod
fc      =       file_creation
fd      =       file_deletion
dl      =       file_close
pc      =       process
nt      =       network
ip      =       ipc
na      =       non_attrib
ad      =       administrative
lo      =       login_logout
ap      =       application
io      =       ioctl
ex      =       exec
to      =       other
all     =       all

The third entry specifies how much disk space must be available for auditing to continue. If nothing is specified here, the default is 0%. Once this minimum percentage is hit, the auditing function runs the /etc/security/audit_warn script. You should edit this script to perform whatever functions you deem necessary.

The last entry is what flags to NOT audit.

Now that we have BSM configured, we will run /etc/security/bsmconv to set the system up for auditing. It will now tell us to reboot the system. Once rebooted, you should see an audit log in /var/audit/ that resembles the structure: datetimestarted.not_terminated. machinename. As the files are closed out, either manually or automated, the "not_terminated" portion of the filename is replaced with the time and date that the file was closed out.

Auditing is relatively simple to start, but you should be aware of the disk space that can be consumed if auditing is left running unchecked. This applies to all versions of UNIX running the auditing function. And as I mentioned before, these audit files are in binary format. You can translate them into human readable format using the various commands that are supplied with the specific OS audit functions. For Solaris, this command is praudit. For HP-UX, the command is auddisp.

For more information, I recommend reading the man pages because I have yet to find any truly authoritative books concerning OS specific audit functions.