Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Sun Solaris Basic Security Mode (BSM)

 

Sun Solaris Basic Security Mode (BSM) is an audit tracking tool for the system administrator to retrieve detailed auditing events from Sun Solaris systems.

JSA retrieves Sun Solaris BSM events by using the log file Protocol. To you configure JSA to integrate with Solaris Basic Security Mode, take the following steps:

  1. Enable Solaris Basic Security Mode.

  2. Convert audit logs from binary to a human-readable format.

  3. Schedule a cron job to run the conversion script on a schedule.

  4. Collect Sun Solaris events in JSA by using the log file protocol.

Enabling Basic Security Mode in Solaris 10

To configure Sun Solaris BSM in Solaris 10, you must enable Solaris Basic Security Mode and configure the classes of events the system logs to an audit log file.

Configure Basic Security Mode and enable auditing in Sun Solaris 10.

  1. Log in to your Solaris console as a superuser or root user.
  2. Enable single-user mode on your Solaris console.
  3. Type the following command to run the bsmconv script and enable auditing:

    /etc/security/bsmconv

    The bsmconv script enables Solaris Basic Security Mode and starts the auditing service auditd.

  4. Type the following command to open the audit control log for editing:

    vi /etc/security/audit_control

  5. Edit the audit control file to contain the following information:

    dir:/var/audit flags:lo,ad,ex,-fw,-fc,-fd,-fr naflags:lo,ad

  6. Save the changes to the audit_control file, and then reboot the Solaris console to start auditd.
  7. Type the following command to verify that auditd starts :

    /usr/sbin/auditconfig -getcond

    If the auditd process is started, the following string is returned:

    audit condition = auditing

You can now convert the binary Solaris Basic Security Mode logs to a human-readable log format.

Enabling Basic Security Mode in Solaris 11

To configure Sun Solaris BSM in Solaris 11, you must enable Solaris Basic Security Mode and configure the classes of events the system logs to an audit log file.

  1. Log in to Solaris 11 console as a superuser or root.
  2. Start the audit service by typing the following command:

    audit -s

  3. Set up the attributable classes by typing the following command:

    auditconfig -setflags lo,ps,fw

  4. Set up the non-attributable classes by typing the following command:

    auditconfig -setnaflags lo,na

  5. To verify that audit service starts, type the following command:

    /usr/sbin/auditconfig -getcond

    If the auditd process is started, the following string is returned:

    audit condition = auditing

Converting Sun Solaris BSM Audit Logs

JSA cannot process binary files directly from Sun Solaris BSM. You must convert the audit log from the existing binary format to a human-readable log format by using praudit before the audit log data can be retrieved by JSA.

  1. Type the following command to create a new script on your Sun Solaris console:

    vi /etc/security/newauditlog.sh

  2. Add the following information to the newauditlog.sh script:

    #!/bin/bash # # newauditlog.sh - Start a new audit file and expire the old logs #

    AUDIT_EXPIRE=30 AUDIT_DIR="/var/audit" LOG_DIR="/var/log/"

    /usr/sbin/audit -n cd $AUDIT_DIR # in case it is a link # Get a listing of the files based on creation date that are not current in use FILES=$(ls -lrt | tr -s " " | cut -d" " -f9 | grep -v "not_terminated")

    # We just created a new audit log by doing 'audit -n', so we can # be sure that the last file in the list will be the latest # archived binary log file.

    lastFile="" for file in $FILES; do

    lastFile=$file

    done

    # Extract a human-readable file from the binary log file echo "Beginning praudit of $lastFile" praudit -l $lastFile > "$LOG_DIR$lastFile.log" echo "Done praudit, creating log file at: $LOG_DIR$lastFile.log"

    /usr/bin/find . $AUDIT_DIR -type f -mtime +$AUDIT_EXPIRE \ -exec rm {} > /dev/null 2>&1 \;

    # End script

    The script outputs log files in the <starttime>.<endtime>.<hostname>.log format.

    For example, the log directory in /var/log would contain a file with the following name:

    20111026030000.20111027030000.qasparc10.log

  3. Edit the script to change the default directory for the log files.
    1. AUDIT_DIR="/var/audit" - The Audit directory must match the location that is specified by the audit control file you configured in Unresolved topic-ref: "127443".

  4. LOG_DIR="/var/log/" - The log directory is the location of the human-readable log files of your Sun Solaris system that are ready to be retrieved by JSA.
  5. Save your changes to the newauditlog.sh script.

You can now automate this script by using CRON to convert the Sun Solaris Basic Security Mode log to human-readable format.

Creating a Cron Job

Cron is a Solaris daemon utility that automates scripts and commands to run system-wide on a scheduled basis.

The following steps provide an example for automating newauditlog.sh to run daily at midnight. If you need to retrieve log files multiple times a day from your Solaris system, you must alter your cron schedule.

  1. Type the following command to create a copy of your cron file:

    crontab -l > cronfile

  2. Type the following command to edit the cronfile:

    vi cronfile

  3. Add the following information to your cronfile:

    0 0 * * * /etc/security/newauditlog.sh

  4. Save the change to the cronfile.
  5. Type the following command to add the cronfile to crontab:

    crontab cronfile

  6. You can now configure the log source in JSA to retrieve the Sun Solaris BSM audit log files.

You are now ready to configure a log source in JSA.

Configuring a Log Source for Sun Solaris BSM

A log file protocol source allows JSA to retrieve archived log files from a remote host. Sun Solaris BSM supports the bulk loading of audit log files by using the log file protocol.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.
  4. Click the Log Sources icon.
  5. From the Log Source Type list, select Solaris BSM.
  6. Using the Protocol Configuration list, select Log File.
  7. Configure the following parameters:

    Table 1: Log File Parameters

    Parameter

    Description

    Log Source Identifier

    Type the IP address or host name for the log source. The log source identifier must be unique for the log source type.

    Service Type

    From the list, select the protocol that you want to use when retrieving log files from a remove server. The default is SFTP.

    • SFTP SSH File Transfer Protocol

    • FTP File Transfer Protocol

    • SCP Secure Copy

    The underlying protocol that is used to retrieve log files for the SCP and SFTP service types requires that the server specified in the Remote IP or Hostname field has the SFTP subsystem enabled.

    Remote IP or Hostname

    Type the IP address or host name of the Sun Solaris BSM system.

    Remote Port

    Type the TCP port on the remote host that is running the selected Service Type. If you configure the Service Type as FTP, the default is 21. If you configure the Service Type as SFTP or SCP, the default is 22.

    The valid range is 1 - 65535.

    Remote User

    Type the user name necessary to log in to your Sun Solaris system.

    The user name can be up to 255 characters in length.

    Remote Password

    Type the password necessary to log in to your Sun Solaris system.

    Confirm Password

    Confirm the Remote Password to log in to your Sun Solaris system.

    SSH Key File

    If you select SCP or SFTP from the Service Type field you can define a directory path to an SSH private key file. The SSH Private Key File gives the option to ignore the Remote Password field.

    Remote Directory

    Type the directory location on the remote host from which the files are retrieved. By default, the newauditlog.sh script writes the human-readable logs files to the /var/log/ directory.

    Recursive

    Select this check box if you want the file pattern to also search sub folders. The Recursive parameter is not used if you configure SCP as the Service Type. By default, the check box is clear.

    FTP File Pattern

    If you select SFTP or FTP as the Service Type, this gives the option to configure the regular expression (regex) that is needed to filter the list of files that are specified in the Remote Directory. All matching files are included in the processing.

    For example, if you want to retrieve all files in the <starttime>.<endtime>.<hostname>.log format, use the following entry: \d+\.\d+\.\w+\.log.

    Use of this parameter requires knowledge of regular expressions (regex). For more information, see the following website: http://download.oracle.com/javase/tutorial/essential/regex/

    FTP Transfer Mode

    This option appears only if you select FTP as the Service Type. The FTP Transfer Mode parameter gives the option to define the file transfer mode when you retrieve log files over FTP.

    From the list, select the transfer mode that you want to apply to this log source:

    • Binary - Select Binary for log sources that require binary data files or compressed .zip, .gzip, .tar, or .tar+gzip archive files.

    • ASCII Select ASCII for log sources that require an ASCII FTP file transfer. You must select NONE for the Processor field and LINEBYLINE the Event Generator field when you use the ASCII as the transfer mode.

    SCP Remote File

    If you select SCP as the Service Type, you must type the file name of the remote file.

    Start Time

    Type the time of day you want the processing to begin. This parameter functions with the Recurrence value to establish when and how often the Remote Directory is scanned for files. Type the start time, based on a 24-hour clock, in the following format: HH: MM.

    Recurrence

    Type the frequency, beginning at the Start Time, that you want the remote directory to be scanned. Type this value in hours (H), minutes (M), or days (D).

    For example, type 2H if you want the directory to be scanned every 2 hours. The default is 1H.

    Run On Save

    Select this check box if you want the log file protocol to run immediately after you click Save. After the Run On Save completes, the log file protocol follows your configured start time and recurrence schedule.

    Selecting Run On Save clears the list of previously processed files for the Ignore Previously Processed File(s) parameter.

    EPS Throttle

    Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The valid range is 100 - 5000.

    Processor

    If the files on the remote host are stored in a .zip, .gzip, .tar, or tar+gzip archive format, select the processor that allows the archives to be expanded and contents processed.

    Ignore Previously Processed File(s)

    Select this check box to track files that are processed already, and you do not want the files to be processed a second time. This applies only to FTP and SFTP Service Types.

    Change Local Directory?

    Select this check box to define the local directory on your JSA system that you want to use for storing downloaded files during processing. It is suggested that you leave the check box clear. When the check box is selected, the Local Directory field is displayed, which gives you the option to configure the local directory to use for storing files.

    Event Generator

    From the Event Generator list, select LINEBYLINE.

  8. Click Save.

    The configuration is complete. Events that are retrieved by using the log file protocol are displayed on the Log Activity tab of JSA.