« Return to Thread: Dealing with BSM Audit Logs
Re: Dealing with BSM Audit Logs
by benjamin brumaire
::
Rate this Message:
The only tools I'm aware of are;
- emerald expert-bsm last release 2002 :-(
-ISS Realsecure server sensor
In addition Solaris 10 supports now XML as output format which is
supposed to be easier to parse, right?
bbr
Crist J. Clark wrote:
> Sarbanes-Oxley has reared its ugly head. The word has come down
> from on high that we need to know everything root does on the
> affected systems. Using Solaris's built-in audit tools seems
> like the obvious choice. So, I have,
>
> root:lo,ex,pc,fw,fm,fc,fd:no
>
> In the audit_user file. Great. Most of the time this captures
> what we want without too much cruft...
>
> Most of the time. We had one system generate two GBs of logs
> over two days (impractical). Now it is back to a few MB per day
> (reasonable). I'm still trying to figure out exactly why, but
> it looks like ufsdump/ufsrestore is hell on accounting. Not
> for all of the files getting touched, as I first expected,
> but rather to wild amounts of signalling (kill(2)) between
> processes.
>
> Anyway, I am in search of tools to deal with audit logs. For
> example, I suspect that this noise is from ufsdump/restore,
> but this is hard to back out. It'd be sweet to have a tool
> where I could pull out all of the logs related to a process,
> including its children, and look at them. Something interactive
> would be so-o cool. Using auditreduce(1M) and praudit(1M) with
> grep, perl, and awk only goes so far, especially when it
> comes to GBs of logs.
>
> Are there tools out there for this? Any leads, from Sun, free
> stuff, your scripts, or third-party commercial, would help.
>
> (Oh, and peeve with auditreduce(1M), it can't handle large
> files?!)
>
- emerald expert-bsm last release 2002 :-(
-ISS Realsecure server sensor
In addition Solaris 10 supports now XML as output format which is
supposed to be easier to parse, right?
bbr
Crist J. Clark wrote:
> Sarbanes-Oxley has reared its ugly head. The word has come down
> from on high that we need to know everything root does on the
> affected systems. Using Solaris's built-in audit tools seems
> like the obvious choice. So, I have,
>
> root:lo,ex,pc,fw,fm,fc,fd:no
>
> In the audit_user file. Great. Most of the time this captures
> what we want without too much cruft...
>
> Most of the time. We had one system generate two GBs of logs
> over two days (impractical). Now it is back to a few MB per day
> (reasonable). I'm still trying to figure out exactly why, but
> it looks like ufsdump/ufsrestore is hell on accounting. Not
> for all of the files getting touched, as I first expected,
> but rather to wild amounts of signalling (kill(2)) between
> processes.
>
> Anyway, I am in search of tools to deal with audit logs. For
> example, I suspect that this noise is from ufsdump/restore,
> but this is hard to back out. It'd be sweet to have a tool
> where I could pull out all of the logs related to a process,
> including its children, and look at them. Something interactive
> would be so-o cool. Using auditreduce(1M) and praudit(1M) with
> grep, perl, and awk only goes so far, especially when it
> comes to GBs of logs.
>
> Are there tools out there for this? Any leads, from Sun, free
> stuff, your scripts, or third-party commercial, would help.
>
> (Oh, and peeve with auditreduce(1M), it can't handle large
> files?!)
>
« Return to Thread: Dealing with BSM Audit Logs
| Free embeddable forum powered by Nabble | Forum Help |
