Questions and Answers
Amy Rich
Q Because of security concerns, I need to log
the RUID, RGID, EUID, EGID, and arguments of any program that's run. I've considered
wrapping everything with a script and then having users call it for command,
but that would be easy to circumvent. I definitely don't want to give users
elevated access by allowing them to use sudo on a shell script when they need
to run commands as root, either. Is there any way to do this natively with Solaris
8, or is there a third-party product or freeware program (not shell script)
that I could use?
A If you're running Solaris 8, you can enable
BSM to capture this information. Of course, if you have complete root access
on the machine, you can always find a way around any restriction. In this case,
you could just turn off BSM. You'll need to edit /etc/security/audit_control
on the machine where you want to capture this data. The audit_control file specifies
which classes of events you're going to log. In a default install, you'll see
four directive lines:
dir:/var/audit
flags:
minfree:20
naflags:lo
The dir line dictates the directory name where the audit files will be stored.
By default, this is /var/audit. The minfree line specifies the percentage of free
space that must be present in the file system containing the current audit file.
The flags and naflags (non-attributable flags) lines specify the event classes
to audit. Flags matches defined users while naflags matches anything else. The
audit classes specified in the flags and naflags directives can be audited for
failure only if prefixed with a - character, success only if prefixed with
a + character, or all events if left without a prefix. Multiple flags are
separated by commas with no whitespace.
|
