Sun Solaris Basic Security Mode (BSM)

Sun Solaris Basic Security Mode (BSM) is an audit tracking tool for the system administrator to retrieve detailed auditing events from Sun Solaris systems.

JSA retrieves Sun Solaris BSM events by using the log file Protocol. To you configure JSA to integrate with Solaris Basic Security Mode, take the following steps:

Enable Solaris Basic Security Mode.
Convert audit logs from binary to a human-readable format.
Schedule a cron job to run the conversion script on a schedule.
Collect Sun Solaris events in JSA by using the log file protocol.

Enabling Basic Security Mode in Solaris 10

To configure Sun Solaris BSM in Solaris 10, you must enable Solaris Basic Security Mode and configure the classes of events the system logs to an audit log file.

Configure Basic Security Mode and enable auditing in Sun Solaris 10.

Log in to your Solaris console as a superuser or root user.
Enable single-user mode on your Solaris console.
Type the following command to run the bsmconv script and enable auditing:

/etc/security/bsmconv

The bsmconv script enables Solaris Basic Security Mode and starts the auditing service auditd.
Type the following command to open the audit control log for editing:

vi /etc/security/audit_control
Edit the audit control file to contain the following information:

dir:/var/audit flags:lo,ad,ex,-fw,-fc,-fd,-fr naflags:lo,ad
Save the changes to the audit_control file, and then reboot the Solaris console to start auditd.
Type the following command to verify that auditd starts :

/usr/sbin/auditconfig -getcond

If the auditd process is started, the following string is returned:

audit condition = auditing

You can now convert the binary Solaris Basic Security Mode logs to a human-readable log format.

Enabling Basic Security Mode in Solaris 11

To configure Sun Solaris BSM in Solaris 11, you must enable Solaris Basic Security Mode and configure the classes of events the system logs to an audit log file.

Log in to Solaris 11 console as a superuser or root.
Start the audit service by typing the following command:

audit -s
Set up the attributable classes by typing the following command:

auditconfig -setflags lo,ps,fw
Set up the non-attributable classes by typing the following command:

auditconfig -setnaflags lo,na
To verify that audit service starts, type the following command:

/usr/sbin/auditconfig -getcond

If the auditd process is started, the following string is returned:

audit condition = auditing

Converting Sun Solaris BSM Audit Logs

JSA doesn't process binary files directly from Sun Solaris BSM. You must convert the audit log from the existing binary format to a human-readable log format by using praudit before the audit log data can be retrieved by JSA.

Type the following command to create a new script on your Sun Solaris console:

vi /etc/security/newauditlog.sh
Add the following information to the newauditlog.sh script:

The script outputs log files in the <starttime>.<endtime>.<hostname>.log format.

For example, the log directory in /var/log contains a file with the following name:

20111026030000.20111027030000.qasparc10.log
Edit the script to change the default directory for the log files.
1. AUDIT_DIR="/var/audit" - The Audit directory must match the location that is specified by the audit control file you configured in “Enabling Basic Security Mode in Solaris”.
LOG_DIR="/var/log/" - The log directory is the location of the human-readable log files of your Sun Solaris system that are ready to be retrieved by JSA.
Save your changes to the newauditlog.sh script.
Optional: If you want to make the script executable, type the following command:
chmod +x /etc/security/newauditlog.sh

If this script is executable, you can automate it by using CRON to convert the Sun Solaris Basic Security Mode log to human-readable format.

Creating a Cron Job

Cron is a Solaris daemon utility that automates scripts and commands to run system-wide on a scheduled basis.

The following steps provide an example for automating newauditlog.sh to run daily at midnight. If you need to retrieve log files multiple times a day from your Solaris system, you must alter your cron schedule.

Type the following command to create a copy of your cron file:

crontab -l > cronfile
Type the following command to edit the cronfile:

vi cronfile
Add the following information to your cronfile:

0 0 * * * /etc/security/newauditlog.sh
Save the change to the cronfile.
Type the following command to add the cronfile to crontab:

crontab cronfile
You can now configure the log source in JSA to retrieve the Sun Solaris BSM audit log files.

You are now ready to configure a log source in JSA.

Log File Log Source Parameters for Sun Solaris BSM

If JSA does not automatically detect the log source, add a Sun Solaris BSM log source on the JSA Console by using the Log File protocol.

When using the Log File protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Log File events from Sun Solaris BSM:

Table 1: Log File Log Source Parameters for the Sun Solaris BSM DSM
Parameter	Value
Log Source type	Solaris BSM
	Log File
Log Source Identifier	Type the IP address or host name for the log source. The log source identifier must be unique for the log source type.
Service Type	From the list, select the protocol that you want to use when retrieving log files from a remove server. The default is SFTP. SFTP SSH File Transfer Protocol FTP File Transfer Protocol SCP Secure Copy The underlying protocol that is used to retrieve log files for the SCP and SFTP service types requires that the server specified in the Remote IP or Hostname field has the SFTP subsystem enabled.
Remote IP or Hostname	Type the IP address or host name of the Sun Solaris BSM system.
Remote Port	Type the TCP port on the remote host that is running the selected Service Type. If you configure the Service Type as FTP, the default is 21. If you configure the Service Type as SFTP or SCP, the default is 22. The valid range is 1 - 65535.
Remote User	Type the user name necessary to log in to your Sun Solaris system. The user name can be up to 255 characters in length.
Remote Password	Type the password necessary to log in to your Sun Solaris system.
Confirm Password	Confirm the Remote Password to log in to your Sun Solaris system.
SSH Key File	If you select SCP or SFTP from the Service Type field you can define a directory path to an SSH private key file. The SSH Private Key File gives the option to ignore the Remote Password field.
Remote Directory	Type the directory location on the remote host from which the files are retrieved. By default, the newauditlog.sh script writes the human-readable logs files to the /var/log/ directory.
Recursive	Select this check box if you want the file pattern to also search sub folders. The Recursive parameter is not used if you configure SCP as the Service Type. By default, the check box is clear.
FTP File Pattern	If you select SFTP or FTP as the Service Type, this gives the option to configure the regular expression (regex) that is needed to filter the list of files that are specified in the Remote Directory. All matching files are included in the processing. For example, if you want to retrieve all files in the <starttime>.<endtime>.<hostname>.log format, use the following entry: `\d+\.\d+\.\w+\.log`. Use of this parameter requires knowledge of regular expressions (regex). For more information, see the following website: http://download.oracle.com/javase/tutorial/essential/regex/
FTP Transfer Mode	This option appears only if you select FTP as the Service Type. The FTP Transfer Mode parameter gives the option to define the file transfer mode when you retrieve log files over FTP. From the list, select the transfer mode that you want to apply to this log source: Binary - Select Binary for log sources that require binary data files or compressed .zip, .gzip, .tar, or .tar+gzip archive files. ASCII Select ASCII for log sources that require an ASCII FTP file transfer. You must select NONE for the Processor field and LINEBYLINE the Event Generator field when you use the ASCII as the transfer mode.
SCP Remote File	If you select SCP as the Service Type, you must type the file name of the remote file.
Start Time	Type the time of day you want the processing to begin. This parameter functions with the Recurrence value to establish when and how often the Remote Directory is scanned for files. Type the start time, based on a 24-hour clock, in the following format: HH: MM.
Recurrence	Type the frequency, beginning at the Start Time, that you want the remote directory to be scanned. Type this value in hours (H), minutes (M), or days (D). For example, type `2H` if you want the directory to be scanned every 2 hours. The default is 1H.
Run On Save	Select this check box if you want the log file protocol to run immediately after you click Save. After the Run On Save completes, the log file protocol follows your configured start time and recurrence schedule. Selecting Run On Save clears the list of previously processed files for the Ignore Previously Processed File(s) parameter.
EPS Throttle	Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The valid range is 100 - 5000.
Processor	If the files on the remote host are stored in a .zip, .gzip, .tar, or tar+gzip archive format, select the processor that allows the archives to be expanded and contents processed.
Ignore Previously Processed File(s)	Select this check box to track files that are processed already, and you do not want the files to be processed a second time. This applies only to FTP and SFTP Service Types.
Change Local Directory?	Select this check box to define the local directory on your JSA system that you want to use for storing downloaded files during processing. It is suggested that you leave the check box clear. When the check box is selected, the Local Directory field is displayed, which gives you the option to configure the local directory to use for storing files.
Event Generator	From the Event Generator list, select LINEBYLINE.