> Gary Winiger wrote:
> > ...
> >> For example, are there any C2 audit events that collect
> >> information like this?
> >>
> >
> > We like to call it Solaris Audit, C2 is very last centurary ;-)
> >
> > Any how a slight revision to what Jan said. If all you want
> > is failed login attempts, then all you need in audit_control(4)
> > is naflags:lo. If you want both successful and failed,
> > then flags:lo is also needed.
> >
> > To set things up, you still need to run bsmconv(1M) and reboot.
> > Configure audit_control as noted. If this is all the audit
> > you're collecting, you could get away without running auditreduce.
> > The command Jan showed will get you just sshd logins. If you care
> > about all logins/su/screenlocks/... just run praudit to convert
> > the binary to human (un)readable. If you're looking for just the
> > IP address, praudit -r gets that untranslated. For IP addresses
> > that can't be mapped to host names, praudit without the -r will
> > just put them out in dot (or colon) form.
> >
>
> So we have event collection courtesy of Solaris Audit (:-) but
> what do we have for taking action when said events occur?
I thought you asked the how to collect question, not the
real time alarming question.
> Or for that matter, a series of events?
>
> And how would this be done in real time?
You'd write an auditd plugin.
Real time alarming (i.e. noticing a set of events and taking
some action) is a future project. Unless you're looking to
do it as part of IPFilter.....
> It seems that auditd is writing the files but I can't see which
> API would be used to read the data it writes?
Cause there is no public API. The data format is Stable and
documented.
I'm not sure this helps you in the short term. You wanted to
know about collecting data with Solaris Audit.......
Depending on how real time you want to get, scripting using
all the public (CLI) interfaces will get you reasonably close.
Gary..
