RE: [ISSForum] Server Sensor Solaris

Thu, 10 Oct 2002 11:46:10 -0700

FQDN is the fully qualified domain name of the system.  For example...if your system is known as tester...and the domain name is cyberia.com..then the FQDN for this system would be tester.cyberia.com and that would appear in your /etc/hosts file as such:

10.0.0.12       tester.cyberia.com      cyberia

(whatever the IP address is should replace that 10.0.0.12)

as for the flags and auditing...once you have enabled bsmconv..there are specific files that need to be addressed:

The main configuration file for auditing is /etc/security/audit_control, in this file we set which classes of events we want to generate audit records and where we want those records to go.

Example: "Login" Events
To record the "login" events for all users add the class `lo` to the "flags:" line of /etc/security/audit_control. The login events are created by login (telnet, rsh, rlogin), dtlogin, in.ftpd, su, rexd, in.uucpd. For example: 


dir:/var/audit

flags: lo

minfree: 20

naflags:

*****************************************

The "flags" section pertains to the specific audit_classes that you wish to log.  Unless you are a mandated to run your systems as C2, then you would most likely only be interested in failed and successful login attempts...including SU.  If you are curious, look into the file /etc/security/audit_class, this file lists all of the possible audit flags that can be listed in the "flags" section.  Sometimes BSM is picky about flags and may still log them even if they are not in the "flags" section.  To work around this, it is a best practice to enter the audit flags that you do NOT wish to log in the "naflags" section in the /etc/security/audit_control file:

dir:/var/audit

flags: lo

minfree: 20

naflags:

 
 
Refer to the /etc/security/audit_class file for what to enter in the line.  Since you are already logging all failed and successful login attempts...you can probably safely put "all" in the "naflags" field:
 
 
naflags: all
 
 
If you are feeling adventurous, go ahead and just leave the "naflags" filed empty and have only "lo" in the "flags" section and give that a try.
 
The last file to look out for is the one that almost everyone misses.  Once again, unless you are a mandated C2 shop and are required to log every user command, you can wipe out any entries in the /etc/security/audit_user file.  By default there is an entry for "root" in this file.  Just comment this out and once you have your entries in place in the audit_control file.  You can stop and start the auditd daemon "/etc/init.d/auditd stop" & "/etc/init.d/auditd start"
 
The last step is make sure that the audit flags that you are auditing in your BSM should be matched on the ISS Real Secure side.  In the policy for the system you are working with...customize the policy in the Workgroup manager and find the OS tab.  Under the Solaris section there is a User Defined Events and then Audit Policy and the User Defined Audit Policy (something like that).  In this section there are the specific audit flags that you are asking the BSM module to pass over to the Real Secure Console.  Since you are only auditing logins and su, you should only have to have "3" boxes checked:
 
AUE_login
AUE_logout
AUE_su
 
If any other boxes are checked, they should be unchecked, unless you go into the /etc/security/audit_control file and add the appropriate audit flags in the "flags" section and then match those with the boxes you check in the policy on Real Secure.
 
I hope that helps out somewhat ?
 
 








-----Original Message-----
From: Claudia Patricia Prada G [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 10, 2002 8:57 AM
To: Slighter, Tim
Subject: RE: [ISSForum] Server Sensor Solaris


First Thanks for your help
Now could you explain me what is FQDN ?  and where can i found the nflags?


Claudia
-----Original Message-----
From: Slighter, Tim [mailto:[EMAIL PROTECTED]]
Sent: Jueves, 10 de Octubre de 2002 08:39 a.m.
To: 'Claudia Patricia Prada G'; [EMAIL PROTECTED]
Subject: RE: [ISSForum] Server Sensor Solaris


Did you look at your /var/adm/messages and /var/log/syslog files to see if
you can locate any errors?  If you are running the sendmail daemon and do
require that it is used, you should correct your FQDN issue by placing a
FQDN in your /etc/hosts file and restarting the sendmail daemon.  Otherwise
you can just kill the sendmail daemon.  My guess is that the influx of
syslog errors being generated by sendmail is killing the auditd daemon.
Perhaps you could investigate your flags for auditing in
/etc/security/audit_control and make sure that only "-ad" "lo" are about the
only flags.   All the rest should be in the naflags

-----Original Message-----
From: Claudia Patricia Prada G [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 08, 2002 5:04 PM
To: [EMAIL PROTECTED]
Subject: [ISSForum] Server Sensor Solaris



Dear People:

I have installed a server sensor over solaris 5.7, the communication with
the console is good,
but it has a problem with auditd service of BSM, when i try to stop the
realsecure service
the server is blocked.

appears the following message:

#/etc/init.d/realsecure stop
Stopping the ISS Daemon service.....
CONDITION = auditing
Oct  8 04:38:16 cobtaaadc01 sendmail[640]: My unqualified host name
(cobtaaadc01
) unknown; sleeping for retry
/etc/security/original_audit_warn: Auditing has been turned off
unexpectedly.
Oct  8 04:39:16 cobtaaadc01 sendmail[640]: unable to qualify my own domain n
ame (cobtaaadc01) -- using short name
Oct  8 04:39:16 cobtaaadc01 sendmail[640]: unable to qualify my own domain
name
(cobtaaadc01) -- using short name

Do you know what happended?

Thanks for your help


Claudia Prada
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.394 / Virus Database: 224 - Release Date: 03/10/2002

_______________________________________________
ISSforum mailing list
[EMAIL PROTECTED]



---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.394 / Virus Database: 224 - Release Date: 03/10/2002

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.394 / Virus Database: 224 - Release Date: 03/10/2002

Reply via email to