|
|
After you preconfigure and start the auditing subsystem, you'll need to analyze log files regularly—whether you need to view audit records of a system program (that is, log in), an entire class of events (that is, lo), or create a complete audit trail. The topic of managing log files could literally take up an entire chapter; therefore, we'll address only some of the specifics required by the examination.
We'll start with the bsmrecord command and use it to create a particular record format as well as display formats of all audit records of a program and class. To display all audit record formats, you can issue the bsmrecord -a command. For convenience, you can also parse all record formats into an HTML file that you can open with any web browser for simple traversal. To do so, simply add the -h option followed by a filename, like so: bsmrecord -a -h > audit. formats.html. Finally, to display audit record formats of a particular program or class, use the -p program and -c class options, respectively, where program is the name of the program and class is the name of the class. For example, to display all audit record formats of the login program, issue the bsmrecord -p login command. On the other hand, to display all audit record formats of the lo class of events, you would execute the bsmrecord -c lo command.
| Exam Watch |
For the exam, remember that the bsmrecord command should be used to display record formats of a program and class. For example, issue the bsmrecord -a command to display all records. |
Binary audit files can be merged to create an audit trail. This is especially useful during incident response or when tracing a suspected intruder. The auditreduce command is used to merge the files into a single output source, thus creating an audit trail. To do this, follow these steps:
Log in with an account that has root privileges, or use the su command to become superuser. Additionally, you can assume a role that includes the Audit Review profile.
Create an audit trail directory with limited access permissions:
mkdir audit-trail-1 chmod 700 audit-trail-1
From the audit trail directory, merge binary audit records into a single audit trail output source using auditreduce -Uoption -O suffix, where Uoption can be one of the following:
An uppercase A to select all files
C to select only complete files
M to select only files with a particular suffix
O to create the audit file with the suffix specified as suffix in the current directory (includes timestamp for start and end time)
Here's an example: auditreduce -A -O all-files
The auditreduce command also accepts lowercase filtering options in the following format: auditreduce –loption argument optional-file.
optional-file is the name of an audit file
argument is an attribute that an loption would require (that is, an audit class if specifying the -c option)
loption is a lowercase d to select all events on a specific date (argument must be in yyyymmdd format), u to select all events pertaining to a particular user (argument is the user name), c to select all events with regard to a specific class (argument is the class), and m to select the instances of an event (argument is the event).
| Exam Watch |
For the exam, you should know that to create an audit trail, the auditreduce command is used to merge audit files into a single output source that you can specify. |
The praudit command is used to view binary audit files. What's more, for your convenience it can be combined with the auditreduce command, separated by the pipe character ( | ). The praudit command accepts the following options:
-l to display records one-per-line
-s to display records in short format (one token per line)
-r to display records in their raw format (one token per line)
-x to display records in XML format (one token per line)
For example, we could issue the following command to view a specific audit file:
praudit audit-file | more
where audit-file is the name of the file.
We could also issue the following command to display all lo class audit records in short format:
auditreduce –c lo | praudit -s
For more information on the complete usage of bsmrecord, auditreduce, and praudit, be sure to read their man pages.
Here are some of the key points from the certification objectives in Chapter 5.
Events that are capable of creating audit logs include system startup and shutdown, login and logout, identification and authentication, privileged rights usage, permission changes, process and thread creation and destruction, object creation and manipulation, application installation, and system administration.
The audit_control file can be modified to preselect audit classes and customize audit procedures.
The audit policy is automatically started in the audit_startup script.
The audit_warn script generates e-mail to an alias called audit_warn. You can change the alias by editing the etc/security/audit_warn file and changing the e-mail alias in the script at entry ADDRESS=audit_warn, or by redirecting the audit_warn e-mail alias to a different account.
When auditing is enabled, the contents of the etc/security/audit_startup file determine the audit policy.
To audit efficiently, Sun recommends randomly auditing only a small percentage of users at any one time, compressing files, archiving older audit logs, monitoring in real time, and automatically increasing unusual event auditing.
In the audit_control file, the flags and naflags arguments define which attributable and nonattributable events should be audited for all users on the system.
You can manually issue the bsmrecord command to add events that should be audited.
The audit_event file is the event database that defines which events are part of classes you can audit.
The audit event numbers—with the exception of 0, which is reserved as an invalid event number—are 1–2047 for Solaris Kernel events, 2048–32767 for Solaris programs (6144–32767 also includes SunOS 5.X user-level audit events), and 32768–65535 for third-party applications.
The audit_user file defines specific users and classes of events that should always or never be audited for each user.
Syslog audit files should never be placed in the same locations as binary data.
Syslog files should be monitored and archived regularly to accommodate potentially extensive outputs.
Execute the bsmconv script to enable and disable the auditing service.
Issue the audit -s command to refresh the kernel, and use the auditconfig -conf command to refresh the auditing service.
To display audit records formats, use the bsmrecord command.
To merge audit files into a single output source to create an audit trail, use the auditreduce command.
The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully, because there might be more than one correct answer. Choose all correct answers for each question. Some questions are fill-in-the-blank and short-answer questions to ensure you have a good understanding of the material.
|
Which configuration file specifies the primary and secondary audit directories?
|
|
|
|
How would you manually set the minimum free disk space for an audit file before a warning is sent? |
|
|
|
When auditing is enabled, the contents of the etc/security/audit_startup file determine the ______________. |
|
|
|
In the audit_control file, which arguments define what attributable and nonattributable events should be audited for the entire system?
|
|
|
|
You can specify events that should be audited by using the bsmrecord command.
|
|
|
|
Which configuration file specifies classes of events that should always or never be audited for each user?
|
|
|
|
Which of the following are events that are capable of creating audit logs?
|
|
|
|
Which of these techniques can be implemented for the most efficient auditing while still adhering to security prioritizations?
|
|
|
|
With regard to the Solaris auditing subsystem, what is the directory of last resort? |
|
|
|
With regard to classes of events, the audit_event file is the event database that can be read to find out which events are part of classes you can audit. Which event numbers are available for third-party TCB applications?
|
|
|
|
Which of these techniques can be used to set up a warning alias, which is the e-mail account that will receive warnings generated from the audit_warn script, such as when the minimum free-space level is reached?
|
|
|
|
With regard to classes of events, the audit_event file is the event database that can be read to find out which events are part of classes you can audit. Which event numbers are reserved for the Solaris kernel events?
|
|
|
|
Syslog audit files should be placed in the same locations as binary data.
|
|
|
|
Which of the following can be executed to refresh the auditing service?
|
|
|
|
Which of the following can be executed to disable the auditing service?
|
|
Answers
|
þ A. The primary and secondary audit directories are specified in the audit_control file. ý B is wrong because the audit policy is established by the auditconfig command, which is automatically started in the audit_startup script. C is incorrect because the audit_warn script generates e-mail to an e-mail alias called audit_warn. D is wrong because the audit_user file defines specific users and classes of events that should always or never be audited for each user. |
|
|
þ To set the minimum free disk space for an audit file before a warning is sent, you need to modify the /etc/security/audit_control file by adding the minfree argument followed by a percentage. It's important first to save a backup of the original file before making changes. For example, to set the minimum free space level for all audit file systems so that a warning is sent when 15 percent of the file system is available, edit the audit_control file and modify the line item minfree:xx, where xx is a percentage less than 100. |
|
|
þ When auditing is enabled, the contents of the etc/security/audit_startup file determine the audit policy. Audit policy determines the characteristics of the audit records. When auditing is enabled, the contents of the etc/security/audit_startup file determine the audit policy. |
|
|
þ A and D. In the audit_control file, the flags and naflags arguments define which attributable and nonattributable events (the na preceding the second flags argument specifies nonattributable events) should be audited for the entire system—that is, all users on the system. ý B is wrong because the minfree argument is used to set the free space warning threshold, and C is incorrect because the dir: attribute is used to specify primary and secondary audit directories. |
|
|
þ A. True. In the audit_control file, the flags and naflags arguments define which attributable and nonattributable events (the na preceding the second flags argument specifies nonattributable events) should be audited for the entire system—that is, all users on the system. Incidentally, you can specify events by using the bsmrecord command. |
|
|
þ D. The audit_user file defines specific users and classes of events that should always or never be audited for each user. ý A is wrong because general configuration specifications such as the primary and secondary audit directories are specified in the audit_control file. B is wrong because the audit policy is established by the auditconfig command, which is automatically started in the audit_startup script. C is incorrect because the audit_warn script generates mail to an e-mail alias called audit_warn. |
|
|
þ F. All of the answers are correct. Events that are capable of creating audit logs include system startup and shutdown, login and logout, identification and authentication, privileged rights usage, permission changes, process and thread creation and destruction, object creation and manipulation, application installation, and system administration. |
|
|
þ F. All of the answers are correct. Sun recommends the following techniques for the most efficient auditing while still adhering to security prioritizations: For large networks with limited storage capacity, try randomly auditing a percentage of users at any one time. Perform routine audit file maintenance by reducing the disk-storage requirements by combining, removing, and compressing older log files. It's good practice to develop procedures for archiving the files, for transferring the files to removable media, and for storing the files offline. Monitor the audit data for unusual events in real time. Also set up procedures to monitor the audit trail for certain potentially malicious activities. Adhere to company policy and immediately execute mitigations with regard to substantiated malicious findings. Deploy a script to trigger an automatic increase in the auditing of certain users or certain systems in response to the detection of unusual or potentially malicious events. |
|
|
þ A directory of last resort is a local audit directory that is used if the primary and all secondary audit directories become unavailable. |
|
|
þ D. The event numbers available for third-party TCP applications are 32768–65535. ý A is wrong because 1–2047 is reserved for the Solaris kernel events. B is wrong because 2048–32767 is reserved for the Solaris TCB programs. C is wrong because 6144–32767 is used for SunOS 5.X user-level audit events. |
|
|
þ A and B. Setting up a warning alias can be accomplished in two ways. The easiest method is to edit the etc/security/audit_warn file by changing the e-mail alias in the script at entry ADDRESS=audit_warn, like so: #
send_msg() {
MAILER=/usr/bin/mailx
SED=/usr/bin/sed
LOGCMD="$LOGGER -p daemon.alert"
ADDRESS=audit_warn # standard alias for audit alerts
The second way is a little more complicated and requires redirecting the audit_warn e-mail alias to the appropriate account. To do so, add the audit_warn e-mail alias to the new alias file—in /etc/mail/aliases or the mail_aliases database in the name space—such as audit_warn: alertadmin. ý C is wrong because that procedure is used to set the free-space warning threshold manually. |
|
|
þ A. The event numbers 1–2047 are reserved for the Solaris Kernel events. ý B is incorrect because 2048–32767 is reserved for the Solaris TCB programs. C is incorrect because 6144–32767 is used for SunOS 5.X user-level audit events. D is incorrect because 32768–65535 is available for third-party TCB applications. |
|
|
þ B. False. The syslog text logs can generate massive log files, so be sure to monitor and archive them regularly. In addition, you should never store syslog audit files in the same location as binary data. |
|
|
þ B. After you start the auditing service in a production environment, at times you may need to tweak the configuration to audit more classes or perhaps audit specific users more closely. After making changes, you'll need to update the auditing service. This simply restarts the auditd daemon, which in effect will apply the new configuration changes to the service. To refresh the auditing service, issue the auditconfig -conf command. ý A is wrong because that command is used to refresh the kernel. C is wrong because you would run the bsmconv script to enable and disable the auditing service. D is wrong because the bsmrecord command can be used to display record formats. E is wrong because the auditreduce command can be used to merge audit files into a single output source to create an audit trail. |
|
|
þ C. Run the bsmconv script to enable and disable the auditing service. ý A is wrong because that command is used to refresh the kernel. B is wrong because that command is used to refresh the auditing service. D is wrong because the bsmrecord command can be used to display record formats. E is wrong because the auditreduce command can be used to merge audit files into a single output source to create an audit trail. |
|
Which of the following can be used to display audit record formats?
|
|
|
|
Which of the following can be used to merge audit files into a single output source to create an audit trail?
|
|
Answers
|
þ D. The bsmrecord command can be used to display audit record formats. ý A is wrong because that command is used to refresh the kernel. B is wrong because that command is used to refresh the auditing service. C is wrong because you would run the bsmconv script to enable and disable the auditing service. E is wrong because the auditreduce command can be used to merge audit files into a single output source to create an audit trail. |
|
|
þ E. The auditreduce command can be used to merge audit files into a single output source to create an audit trail. ý A is wrong because that command is used to refresh the kernel. B is wrong because that command is used to refresh the auditing service. C is wrong because you would run the bsmconv script to enable and disable the auditing service. D is wrong because the bsmrecord |
|
ABCD Inc. hired you to make the following Solaris auditing subsystem configurations:
What steps would you perform to provide the requested services? |
|
Answers
|
Assuming everything is in order and you have the appropriate privileges, the first task that ABCD Inc. hired you to perform is to preselect audit classes—the attributable lo class events and nonattributable lo class events—to be audited for all users on the system. In the audit_control file, the flags and naflags arguments define which attributable and nonattributable events should be audited. After making a backup of the original file, the following modifications should be made: flags:lo naflags:lo The next task involves specifying the primary and secondary audit directories as well as the directory of last resort. The primary directory should be /var/audit/sysp/data, the secondary directory should be /var/audit/syss/data, and the directory of last resort should be /var/audit. To do this, you need to modify the /etc/security/audit_control file again by adding the dir argument followed by the system primary, secondary, and optional last resort directory, one per line: dir:/var/audit/sysp/data dir:/var/audit/syss/data dir:/var/audit The third required task is to set the minimum free disk space for an audit file to 30 percent before a warning is sent. To do so, you need to modify the /etc/security/audit_control file by adding the minfree argument followed by a percentage: minfree:30 The fourth task is to configure syslog audit logs for classes lo and na. The binary and text audit data collection combination is accomplished with the syslog auditing plug-in, which is specified in the audit_control file. The plug-in is configured with the following format: plugin:name=audit_syslog.so.1; p_flags=classes where classes defines a subset of the audit classes of events that are indicated in the flags and naflags entries in the audit_control file. Following is an extract that includes the syslog plug-in: plugin:name=audit_syslog.so.1; p_flags=-lo,-na In this configuration extract, the flags and naflags attributes direct the auditing susbsystem to audit all login, logout, and nonattributable events in the default binary format (as classes lo and na defined in the audit_event database). However, the plugin entry takes auditing a step further by instructing syslog to collect login and nonattributable event failures indicated with the p_flags classes -lo and -na. Now that you've preconfigured the auditing subsystem and saved the configuration as well as valid backups, as per the customer's requirements, the next step is to enable the service. To do so, bring down the system to single-user mode using the init 1 command. Next, in the /etc/security directory, run the bsmconv script to enable the auditing service, like so: ./bsmconv. Then bring the system back into multi-user mode using the init 6 command. Finally, after a few days of baseline auditing, the customer has requested that you merge audit files into a single output source to create a sample audit trail in an audit-trail-sample directory. To do so, assume the appropriate privileges on the system and create the audit trail directory with limited access permissions: mkdir audit-trail-sample chmod 700 audit-trail-sample From within the audit trail directory, merge binary audit records into a single audit trail output source using the auditreduce -A -O all-files command. |
|
|
