FQDN is the fully qualified domain name of the system. For
example...if your system is known as tester...and the domain name is
cyberia.com..then the FQDN for this system would be tester.cyberia.com and that
would appear in your /etc/hosts file as such:
10.0.0.12
tester.cyberia.com
cyberia
(whatever the IP address is should replace that
10.0.0.12)
as for the flags and auditing...once you have enabled
bsmconv..there are specific files that need to be addressed:
The main
configuration file for auditing is /etc/security/audit_control, in this file we
set which classes of events we want to generate audit records and where we want
those records to go.
Example: "Login" Events
To record the "login"
events for all users add the class `lo` to the "flags:" line of
/etc/security/audit_control. The login events are created by login (telnet, rsh,
rlogin), dtlogin, in.ftpd, su, rexd, in.uucpd. For
example:
dir:/var/audit
flags:
lo
minfree:
20
naflags:
*****************************************
The
"flags" section pertains to the specific audit_classes that you wish to
log. Unless you are a mandated to run your systems as C2, then you would
most likely only be interested in failed and successful login
attempts...including SU. If you are curious, look into the file
/etc/security/audit_class, this file lists all of the possible audit flags that
can be listed in the "flags" section. Sometimes BSM is picky about flags
and may still log them even if they are not in the "flags" section. To
work around this, it is a best practice to enter the audit flags that you do NOT
wish to log in the "naflags" section in the /etc/security/audit_control
file:
dir:/var/audit
flags: lo
minfree: 20
naflags:
-----Original Message-----
From: Claudia
Patricia Prada G [mailto:[EMAIL PROTECTED]]
Sent:
Thursday, October 10, 2002 8:57 AM
To: Slighter, Tim
Subject: RE:
[ISSForum] Server Sensor Solaris
First Thanks for your help
Now
could you explain me what is FQDN ? and where can i found the
nflags?
Claudia
-----Original Message-----
From: Slighter, Tim
[mailto:[EMAIL PROTECTED]]
Sent:
Jueves, 10 de Octubre de 2002 08:39 a.m.
To: 'Claudia Patricia Prada G';
[EMAIL PROTECTED]
Subject: RE: [ISSForum] Server Sensor Solaris
Did
you look at your /var/adm/messages and /var/log/syslog files to see if
you
can locate any errors? If you are running the sendmail daemon and
do
require that it is used, you should correct your FQDN issue by placing
a
FQDN in your /etc/hosts file and restarting the sendmail daemon.
Otherwise
you can just kill the sendmail daemon. My guess is that the
influx of
syslog errors being generated by sendmail is killing the auditd
daemon.
Perhaps you could investigate your flags for auditing
in
/etc/security/audit_control and make sure that only "-ad" "lo" are about
the
only flags. All the rest should be in the
naflags
-----Original Message-----
From: Claudia Patricia Prada G [mailto:[EMAIL PROTECTED]]
Sent:
Tuesday, October 08, 2002 5:04 PM
To: [EMAIL PROTECTED]
Subject: [ISSForum]
Server Sensor Solaris
Dear People:
I have installed a
server sensor over solaris 5.7, the communication with
the console is
good,
but it has a problem with auditd service of BSM, when i try to stop
the
realsecure service
the server is blocked.
appears the following
message:
#/etc/init.d/realsecure stop
Stopping the ISS Daemon
service.....
CONDITION = auditing
Oct 8 04:38:16 cobtaaadc01
sendmail[640]: My unqualified host name
(cobtaaadc01
) unknown; sleeping
for retry
/etc/security/original_audit_warn: Auditing has been turned
off
unexpectedly.
Oct 8 04:39:16 cobtaaadc01 sendmail[640]: unable
to qualify my own domain n
ame (cobtaaadc01) -- using short name
Oct
8 04:39:16 cobtaaadc01 sendmail[640]: unable to qualify my own
domain
name
(cobtaaadc01) -- using short name
Do you know what
happended?
Thanks for your help
Claudia
Prada
---
Outgoing mail is certified Virus Free.
Checked by AVG
anti-virus system (http://www.grisoft.com).
Version: 6.0.394 / Virus Database:
224 - Release Date:
03/10/2002
_______________________________________________
ISSforum
mailing list
[EMAIL PROTECTED]
---
Incoming mail is
certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.394 / Virus Database:
224 - Release Date: 03/10/2002
---
Outgoing mail is certified Virus
Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.394 / Virus Database:
224 - Release Date: 03/10/2002
