Alisha, I've just checked the decoder.xml and solaris_bsm_rules.xml . It looks like this ruleset is based on the syslog output capability in Solaris 10. Now, in my first e-mail I said you'd be done after pointing OSSEC to the syslog file. Looking at the rules file it is very basic. It will all depend on the level of auditing you are doing/plan to do.
In my humble opinion, audit trails serve a special purpose in an incident response process. You should at all time be able to guarantee integrity there. I don't believe this can be done if you store this information in clear text somewhere (additionally, the syslog or stream data occupies about 4 times as much diskspace as their binary counterpart !). I monitor systems closely with OSSEC and whenever necessary review audit files within certain periods of time using the native audit tools of Solaris (auditreduce, praudit). I also suggest to ship logs regularly to a vault system after taking a hash of them (shipping the hash to a different system). I might be too paranoid :-) If you want, don't hesitate to discuss this further off the list. Kind Regards, Wim On 17 Dec 2009, at 17:16, Alisha Kloc wrote: > Hi Wim, > > Thanks for the link! > > Does that mean that there is no way to do this at all on Solaris > machines earlier than 10? (We have a variety.) > > Cheers, > -Alisha > > > On Dec 17, 5:38 am, Wim Remes <[email protected]> wrote: >> Alisha, >> >> Solaris (10 only!) has an option to dump BSM logs to >> syslog.http://www.cuddletech.com/blog/pivot/entry.php?id=647 >> >> configure this, point ossec to the syslog (format is obviously syslog) >> and you're done. >> >> Cheers, >> >> Wim >> >> >> >> On Wed, Dec 16, 2009 at 11:37 PM, Alisha Kloc <[email protected]> >> wrote: >>> Hello, >> >>> Are there instructions anywhere for setting up OSSEC to read Solaris >>> BSM audit logs? As of v. 1.5, OSSEC lists support for Solaris BSM, and >>> I've found posts by people who say they are doing it, but nowhere can >>> I find instructions on how to actually make it happen. >> >>> Can I just point OSSEC at the directory where BSM stores its binary >>> logs? If so, what log format must be specified in the <log_format> tag >>> in the configuration file? Or do I need a script which translates BSM >>> binary logs to another format? If so, what options/tags/commands/etc >>> are needed to get the records formatted correctly in the output file, >>> so that OSSEC can parse the logs? >> >>> Thanks in advance for your help! >>> -Alisha >> >> -- >> Wim Remes >> Security Afficionado
