-
标题
How to set up Auditing (BSM) with Quest Authentication Services (QAS/VAS) on a Solaris 10 host -
说明
How to set up Auditing (BSM) with VAS on a Solaris 10 host
-
解决办法
1. Set up /etc/security/audit_control (for configuring system-wide auditing. The file determines which events are audited, when audit warnings are issued, and the location of the audit files).
root@stewie # cat /etc/security/audit_control
#
# Copyright (c) 1988 by Sun Microsystems, Inc.
#
# ident @(#)audit_control.txt 1.4 00/07/17 SMI
#
dir:/var/audit
flags:lo
minfree:20
naflags:lo
In addition, if required, you can also set up /etc/security/audit_user (Definitions for each user are stored in the audit_user database. These definitions modify, for the specified user, the preselected classes in the audit_control file. Access to the audit_user database follows the rules for the password database specified in /etc/nsswitch.conf. Thus, the nsswitch.conf file determines if a local file or if a name service database is used. Any users final audit preselection mask is generated by combining a users audit_user entry, if any, and the machine specific audit flags contained in /etc/security/audit_control).
2. Enable the Basic Security Module (BSM)
echo y | /etc/security/bsmconv
3. Reboot the system (init 6)
4. Check that the audit daemon is running
root@stewie # ps -ef | grep audit
root 325 1 0 04:36:12 ? 0:00 /usr/sbin/auditd
5. Make su attempts to the user as root, and vice versa (to root as the user)
6. Using the auditreduce and praudit commands, look at any su attempts:
root@stewie # auditreduce -m AUE_su -r jsingh | praudit
file,2008-03-24 14:59:45.000 -03:00,
header,96,2,su,,stewie,2008-03-24 14:59:45.332 -03:00
subject,root,root,unix,jsingh,unix,8624,3596611297,896 131094 term09213.test.labidm.corp
text,success for user jsingh
return,success,0
header,96,2,su,,stewie,2008-03-24 15:13:21.515 -03:00
subject,root,root,unix,jsingh,unix,8696,3596611297,896 131094 term09213.test.labidm.corp
text,success for user jsingh
return,success,0
header,94,2,su,,stewie,2008-03-24 15:13:28.034 -03:00
subject,root,root,unix,jsingh,unix,8701,3596611297,896 131094 term09213.test.labidm.corp
text,success for user root
return,success,0
file,2008-03-24 15:13:28.000 -03:00,
root@stewie #
root@stewie # praudit -l /var/audit/20080324175939.not_terminated.stewie
file,2008-03-24 14:59:39.750 -03:00,/var/audit/20080324175906.20080324175939.stewie
header,96,2,su,,stewie,2008-03-24 14:59:39.621 -03:00,subject,root,root,root,root,root,8620,3596611297,896 131094 term09213.test.labidm.corp,text,success for user jsingh,return,success,0
header,96,2,su,,stewie,2008-03-24 14:59:45.332 -03:00,subject,root,root,unix,jsingh,unix,8624,3596611297,896 131094 term09213.test.labidm.corp,text,success for user jsingh,return,success,0
header,96,2,su,,stewie,2008-03-24 15:13:10.507 -03:00,subject,root,root,root,root,root,8692,3596611297,896 131094 term09213.test.labidm.corp,text,success for user jsingh,return,success,0
header,96,2,su,,stewie,2008-03-24 15:13:21.515 -03:00,subject,root,root,unix,jsingh,unix,8696,3596611297,896 131094 term09213.test.labidm.corp,text,success for user jsingh,return,success,0
header,94,2,su,,stewie,2008-03-24 15:13:28.034 -03:00,subject,root,root,unix,jsingh,unix,8701,3596611297,896 131094 term09213.test.labidm.corp,text,success for user root,return,success,0Please note: You may also need to set UseLogin to yes in sshd_config depending on your version of ssh (due to an openssh defect).
7. The module used by praudit in PAM is pam_unix_cred.so.1 needs to be at the top of the auth stack in the /etc/pam.conf file. sshd example is below.
sshd auth required pam_unix_cred.so.1 use_first_pass
sshd auth sufficient /opt/quest/lib/security/$ISA/pam_vas3.so create_homedir get_nonvas_pass
sshd auth requisite /opt/quest/lib/security/$ISA/pam_vas3.so echo_return
sshd auth requisite pam_authtok_get.so.1
sshd auth required pam_dhkeys.so.1
sshd auth required pam_unix_auth.so.1 use_first_pass -
其他信息
The above outline of steps is not a replacement for prudence on your own part in setting up auditing on Solaris 10 hosts. Please consult the Solaris Auditing section of System Administration Guide: Security Services (Sun Microsystems Documentation) for more details.
Another useful resource:
Solaris BSM AuditingIn some environments it has been observed that the audit logs are filling up rapidly in relation to QAS cache files.
/var/opt/quest/vas/vasd/vas_ident.vdb
/var/opt/quest/vas/vasd/vas_misc.vdb
/var/opt/quest/vas/vasd/vas_ns.vdbThis is caused by the fm flag. One workaround is to take event 30:AU_FCNTL out of the /etc/security/audit_event file or only log failed fm attempts with -fm in the /etc/security/audit_control file. If this information does not successfully change this behavior it is recommended to open a ticket with Sun.