> > > Hi, > I am installing the Real Secure Server Sensors, and have run into a > problem with BSM & SSH. Is anyone else having a problem with their > Solaris systems & BSM? The problem is that when you use SSH to get > into the Solaris systems, and modify the crontab, the crontab becomes > corrupt. Is there a work-around? Here are the docs about the > problem. > > Debbie Harvey > Security Operations > > > Bug ID Synopsis Date 4732421 Using Fsecure SSH to login to Solaris 8 System corrupts crontab. 27 Aug 2002
Category c2_bsm Subcategory utility State closed Description Top <http://sunsolve.sun.com/private-cgi/retrieve.pl?doc=bug%2Fc2_bsm%2Futil ity%2F4732421&zone_32=cron%20%22Solaris%208%22&wholewords=on> When using Fsecure SSH to login to server, crontab becomes corrupt and cron jobs fail. Crontab has a UID (first line of crontab.au) 4294967294. This only occurs when BSM is enabled and .au files are subsequently created for each id that has a crontab in /var/spool/cron/crontabs. Work Around Top <http://sunsolve.sun.com/private-cgi/retrieve.pl?doc=bug%2Fc2_bsm%2Futil ity%2F4732421&zone_32=cron%20%22Solaris%208%22&wholewords=on> Use telnet or console to login, edit crontab (no real changes necessary), and wq! out. This sets the UID back to a valid number. Integrated in Releases (none) Duplicate of 4457028 <http://sunsolve.sun.com/private-cgi/retrieve.pl?type=0&doc=bug%2Fc2_bsm %2Futility%2F4457028> Patch ID (none) See Also (none) Summary Top <http://sunsolve.sun.com/private-cgi/retrieve.pl?doc=bug%2Fc2_bsm%2Futil ity%2F4732421&zone_32=cron%20%22Solaris%208%22&wholewords=on> When using Fsecure SSH to login to server, crontab becomes corrupt and cron jobs fail. Crontab has a UID (first line of crontab.au) 4294967294. This only occurs when BSM is enabled and .au files are subsequently created for each id that has a crontab in /var/spool/cron/crontabs. DOC 2 27064 Learn BSM/C2/SunShield in 5 minutes 12 Jun 2001 Top <http://sunsolve.sun.com/private-cgi/retrieve.pl?doc=finfodoc%2F27064&zo ne_32=BSM> Learn BSM/C2/SunShield in 5 minutes: This is an extremely basic introduction to using the Basic Security Module designed for the engineer who has never used BSM and cringes at the sound of it. Know the difference between accounting and auditing? No? Well, this is auditing. FLAGS: BSM records data based on audit classes. These classes and their corresponding flags are defined in the file /etc/security/audit_class. One example of a flag and its meanings (from the audit_control man page) is: lo login_logout Login and logout events There is a special flag 'all' that means 'all events'. Flags can be qualified with : + (meaning 'successful') - (meaning 'failed') and ^ (meaning except). Thus: +lo means successful login and logout events -lo means failed login and logout events all,^+lo means all events except successful logins and logouts SYSTEM WIDE EVENTS: In order to audit system-wide events, you need to add the flags that represent the events you wish to audit to the /etc/security/audit_control file. The audit_control file is read by the audit daemon when auditing is enabled. Here is the default: # # Copyright (c) 1988 by Sun Microsystems, Inc. # #ident @(#)audit_control.txt 1.3 97/06/20 SMI # dir:/var/audit flags: minfree:20 naflags:lo This says that data will be stored in the directory /var/audit, no flags are set, and when 20% percent of the the audit space is still available a warning script will be run to notify the administrator to archive or delete data. So, in order to log all login and logout activity, we would want to change the flags line to: flags:lo USER LEVEL EVENTS: If we want to log events of a specific user, we need to edit the /etc/security/audit_user file. This file takes the form: username:always-audit-flags:never-audit-flags where always-audit-flags are the flags specifying event classes we wish to always audit (for username), and never-audit-flags are the flags specifying events that we wish to never audit (for username). Thus: milo:lo:+fr means whatever the system-wide policy is, for milo always log login and logout events, but never log successful file reads. ENABLING AND DISABLING BSM: Enabling BSM requires that you go into single-user mode. In single-user mode: # cd /etc/security # ./bsmconv Once this is done, boot the system normally. To disable BSM, use the bsmunconv script and reboot: # cd /etc/security # ./bsmunconv # init 6 VIEWING AUDIT DATA: This is the most confusing part of auditing. BSM doesn't store its data in easy to read ASCII files like syslog has accustomed us to. BSM uses files that contain binary data, stores them in the directory specified in the audit_control file (/var/audit by default), and gives them cryptic names like: yyyymmddhhmm.yyyymmddhhmm.hostname 199905191639.199905191646.bonus-cup The first field is the start date and time, the second is the date and time the file was terminated, and the last is the hostname being audited. If a data file has not yet been terminated, the filename would look something like: 199905191639.not_terminated.bonus-cup Since these files contain binary data, you must use specific utilities in order to get any useful information out of them. The most common is the command praudit. To get all the entries out a specific file, you can use: # praudit 199905191639.199905191646.bonus-cup To make the output quite a bit more readable use the -l flag. This converts the record type and even fields to ASCII (thanks!) and puts one record on one line: # praudit -l 199905191639.199905191646.bonus-cup Usually we don't want to have to decode those cryptic filenames, we just want to query all of the logs. To do this, we can use the auditreduce command. To see all logged event: # auditreduce | praudit -l auditreduce will also let us be very specific about our queries. For instance, if we wanted to see only login and logout events we can do: # auditreduce -c lo | praudit -l Other parameters used with auditreduce are following: -c Event class -u Real UID -a Events occurring after the specified time -b Events occurring before the specified time -e Effective UID -g Real GID -f Effective GID To see all of the login and logout events by user milo, we could do: # auditreduce -u milo -c lo | praudit -l To see all of the login and logout events by user milo that occurred on or after May 19th 1999: # auditreduce -a 19990519 -u milo -c lo | praudit -l And finally to see all of the login and logout events by user milo that occurred during the month of December 1998: # auditreduce -a 19981201 -b +31d -u milo -c lo | praudit -l FOR MORE INFORMATION: See the SunSHIELD Basic Security Module Guide (in book form or on docs.sun.com), infodoc # 14313 and check out the man pages for: praudit(1M) auditreduce(1M) bsmconv(1M) auditd(1M) audit_control(4) audit_user(4) Applies To Network Security, Network - Internet, OS Admininstration/Utilities, Tools/Diagnostics Attachments (none) Document Content INFODOC ID: 27064 _______________________________________________ ISSForum mailing list [EMAIL PROTECTED]
