One other note: neither system run auditd in the local zone On May 18, 2007, at 9:18 AM, Robert Bailey wrote:
> There are a few differences, but should not matter with BSM. > > One is a U40 AMD, the other is a U80 SPARC. > Both systems have a different (working) label_encodings file. > Once system (working) tracks arge in addition. > One system has a secondary audit dir on zfs, but is not currently > being used. > > /etc/security/audit_startup > /usr/sbin/auditconfig -setpolicy +cnt,zonename,arge,argv,seq > /usr/sbin/auditconfig -conf > /usr/sbin/auditconfig -acon > > /etc/security/audit_control > dir:/var/audit > flags:lo,na,ad,ap > minfree:20 > naflags:lo > plugin: name=audit_syslog.so;p_flags=lo,+ad > > /etc/security/audit_user > root:lo:no > me:lo,ad,fd,fc,ex:no > > You asked for auditconfig -lspolicy, but I assume you ment > auditconfig -getpolicy. Included both just in case. > > > Working System U40 > > [ifconfig -a] > # ifconfig -a > lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> > mtu 8232 index 1 > inet 127.0.0.1 netmask ff000000 > lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> > mtu 8232 index 1 > zone SLALPHA > inet 127.0.0.1 netmask ff000000 > lo0:2: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> > mtu 8232 index 1 > zone PUBLIC > inet 127.0.0.1 netmask ff000000 > lo0:3: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> > mtu 8232 index 1 > zone SL > inet 127.0.0.1 netmask ff000000 > lo0:4: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> > mtu 8232 index 1 > zone SLBRAVO > inet 127.0.0.1 netmask ff000000 > lo0:5: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> > mtu 8232 index 1 > zone SLCHARLEY > inet 127.0.0.1 netmask ff000000 > nge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 > index 2 > all-zones > inet 192.168.15.99 netmask ffffff00 broadcast 192.168.15.255 > ether 0:14:4f:3b:8d:60 > nge0:3: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 > index 2 > inet 192.168.15.98 netmask ffffff00 broadcast 192.168.15.255 > > [Loaded Policies] > auditconfig -getpolicy > audit policies = arge,argv,cnt,seq,zonename > > [List Available Policies] > auditconfig -lspolicy > policy string description: > ahlt halt machine if it can not record an async event > all all policies > arge include exec environment args in audit recs > argv include exec command line args in audit recs > cnt when no more space, drop recs and keep a cnt > group include supplementary groups in audit recs > none no policies > path allow multiple paths per event > perzone use a separate queue and auditd per zone > public audit public files > seq include a sequence number in audit recs > trail include trailer token in audit recs > windata_down include downgraded window information in audit recs > windata_up include upgraded window information in audit recs > zonename generate zonename token > > Broken System: U80 > > [ifconfig -a] > ifconfig -a > lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> > mtu 8232 index 1 > inet 127.0.0.1 netmask ff000000 > lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> > mtu 8232 index 1 > zone tsolmro1 > inet 127.0.0.1 netmask ff000000 > hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 > index 2 > all-zones > inet 172.26.20.14 netmask ffff0000 broadcast 172.26.255.255 > ether 8:0:20:f7:c6:59 > hme0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 > index 2 > zone tsolmro1 > inet 172.26.20.160 netmask ffff0000 broadcast 172.26.255.255 > > [List Loaded Policies] > > auditconfig -getpolicy > audit policies = argv,cnt,seq,zonename > > [List Available Policies] > > auditconfig -lspolicy > policy string description: > ahlt halt machine if it can not record an async event > all all policies > arge include exec environment args in audit recs > argv include exec command line args in audit recs > cnt when no more space, drop recs and keep a cnt > group include supplementary groups in audit recs > none no policies > path allow multiple paths per event > perzone use a separate queue and auditd per zone > public audit public files > seq include a sequence number in audit recs > trail include trailer token in audit recs > windata_down include downgraded window information in audit recs > windata_up include upgraded window information in audit recs > zonename generate zonename token > > > On May 18, 2007, at 4:19 AM, Darren J Moffat wrote: > >> Robert Bailey wrote: >>> I was wondering if anyone has run into this. I have two TX >>> systems, each with the same BSM configuration, that has zonename >>> enabled. >>> On one TX system I have my local zones configured to run without >>> IP addreses. In the global, there is one IP for all-zones, one >>> without the all-zones tag. This system can report via BSM, on >>> all transactions within a local zone. >>> The second system, has the same BSM configuration, but for the >>> local zone configuration there is an IP on the local zone, the >>> global has one with an all-zones. This system does not report >>> any audit trail for the local zone except for one entry for >>> zoneadmd. >> >> Can you send the output of `auditconfig -lspolicy` for both machines. >> Also ifconfig -a from the global zone for both machines. >> >> If I understand correctly you have: `auditconfig -setpolicy >> +zonename` for both but have only a global zone audit log >> configured ? >> >> >> >> -- >> Darren J Moffat > > _______________________________________________ > security-discuss mailing list > security-discuss at opensolaris.org -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/security-discuss/attachments/20070518/42a4a3f4/attachment.html>
