Solaris C2/BSM security notes
By Seán Boran (sean at boran.com)
www.boran.com/security/sp/Solaris_bsm.html
This article first appeared as "Tip of
the Week" in the Solaris Security Digest. Since then I've added a few updates, links
and feedback. It's not by any means a complete reference on BSM.
|
 |
|
Beware:
I've had problems on many Solaris8 boxes- if BSM is switched on, root cron
jobs fail.
- Ensure that patches for 'c2 audit are installed, e.g.
108875 SunOS 5.8: c2audit patch, 108876 SunOS 5.8_x86: c2audit patch.
- A problem is known to Sun (SRDB ID: 18219). Fix: for each FILE
in /var/spool/cron/crontabs, there should also be a FILE.au. So for the root cron to work:
touch /var/spool/cron/crontabs/root.au
- See also the discussion on cronjob return
codes, which say that the jobs do in fact run, but the error codes are non zero. This is
another problem in my opinion.
- 21st June 2001: Nasser Manesh writes in to
suggest a fix. I've not yet tested it:
"If you use ssh when you run crontab to edit cron entries, the USER.au file
(e.g. root.au) is not created correctly because of the default way of switching uid in
sshd, and as a result, cron fails to execute the jobs. The workaround is either:
1) Enable
telnet or console access and do a crontab -e _without_ ssh, or
2) Configure your
sshd with "UseLogin" (default is no)."
- Dec 2001: Note that some SSH versions have
a security weakness when the "UseLogin" option is enabled. The
problem is UNIX not SSH. Make sure your OS has a patched
login.
|
|
What is SunShield BSM?
Sun deliver a "C2" level auditing system for both SunOS (Sunshield) and
Solaris (Sunshield BSM). It is bundled with Solaris 2. BSM allows the actions of specific
users to be recorded and written to an audit file. However, the auditing is at the
system-call level, meaning huge logs may be generated by simple user actions. Performance
is also affected. The standard analysis tools praudit and auditreduce
offer no high level analysis of audit trails. Applications may also write to the audit
trail.
Reference documentation: "SunShield Basic Security Module Guide" (Standard
Solaris 2.x documentation). Man pages: audit(1m), audit_startup(1m), audit_warn(1m),
auditconfig(1m), auditreduce(1m), bsmconv(1m).
Enabling and configuring SunShield BSM
- To enable, go to single user and run "bsmconv":
init 1
cd /etc/security;
./bsmconv
- Note: this modifies /etc/system, disabling Stop-A. It is suggested that you re-enable
Stop-A by putting a "*" in front of the appropriate line in /etc/system:
*set abort_enable = 0
- Set an email alias for 'audit_warn' in /etc/aliases.
echo "audit_warn: root" >> /etc/aliases
- Enable command line argument recording by editing /etc/security/audit_startup and adding
the following line:
auditconfig -setpolicy +argv
- To enable recording of all commands issued by every user, login/logouts and failures,
edit /etc/security/audit_control and change the 'flags' line to:
flags:ex,lo,ad,-all
- To audit root actions in detail, edit /etc/security/audit_user and change the 'root'
line to:
root:lo,ex,fd,fc,fm,fw:no
Flags:
# lo - login/logout events
# ex - execution
# fd,fc,fw,fm - file deletion/creation/write/change of object attributes: chown, flock,
etc.
# ad - administrative actions: mount, exportfs, etc.
# pc - process operations: fork, exec, exit, etc.
Another example: to audit a user's failed attempts at creating, writing,
reading file and successful file deletions & attribute modifications:
joe_bloggs:-fc,-fw,-fr,fd,fm:no
- Reboot and login. There should be an 'auditd' daemon running.
Install the audit2info scripts. Francisco Mancardi has published these scripts
to make it easier to read the Sun's C2 (SunShield BSM) auditing logs. The scripts and
files described here can be downloaded.
- Install gawk (no, Sun's awk won't work Gawk can be had from Sunfreeware.com)
- Extract the files into /opt/install.
- If you install it anywhere else, then edit audit_lib and set AUDIT_HOME to the install
directory.
Try out audit2info:
First, produce an ASCII file on C2 auditing activity :
cd /opt/audit;
auditreduce | praudit > audit-data.txt
We can now analyse this output in different ways using the "audit2info"
script, links are provided to sample results.
Let's make the output from auditreduce | praudit above more readable:
./audit2info audit-data.txt > outfile
Show only activity concerning one username:
./audit2info -u bill audit-data.txt > outfile
Show only login/logout activity:
./audit2info -l ok audit-data.txt > outfile
Show only login failure activity:
./audit2info -l ko audit-data.txt > outfile
Show the complete output from auditreduce |praudit, but filtering out records
that have fields with the string listed in the filter file default
"filtro_audit"
./audit2info -f default audit-data.txt > outfile
The above example can be mixed as desired..
Notes using SunShield BSM:
- It creates huge logs, watch it carefully. Ensure that the audit trail is stored on a
partition with enough space.
- Don't bother auditing if you don't have an expert capable of interpreting the logs.
- There is no way of auditing file access depending on the filename. E.g. all write
attempts to /etc/passwd cannot be simply audited. Neither is it possible to trace user
actions on a high level.
- To disable SunShield BSM: go to single user and run "bsmunconv":
init 1
cd /etc/security;
./bsmunconv
- Certain commands are not recorded in a useful way: Example: kill only registers
the pid, so when you read the audit results, you don't know the relationship between this
PID and the name of the binary file.
Workaround: write a wrapper script for kill - not a very elegant solution.
- When auditing all the commands executed, the pathname of the files being worked on is
not provided. For example,
cd /etc/host; vi hosts
cd /tmp; vi hosts
give records that show vi activity on a file name hosts, twice.
Workaround: enable the flags to audit file creation and file modification. This events
save the pathname.
- Check the BSM configuration:
auditconfig -chkconf
- A script for rotating the audit logs (from Sabernet)
#!/sbin/sh
#
# newauditlog.sh - Start a new audit file and expire the old logs
#
AUDIT_EXPIRE=30
AUDIT_DIR="/var/audit" /usr/sbin/audit -n cd $AUDIT_DIR # in case it is a link
/usr/bin/find . $AUDIT_DIR -type f -mtime +$AUDIT_EXPIRE \
-exec rm {} > /dev/null 2>&1 \;
Run the script nightly from cron:
0 0 * * * /etc/security/newauditlog.sh
List of Audit event classes
http://www.sysadminmag.com/supplement/913c2t1.shtml
Implementing C2 Auditing in the Solaris Environment, by Kevin
Wenchel and Stephen Michaels
http://www.sysadminmag.com/supplement/913c2.shtml
C2 Security Frequently Asked Questions, Sunsolve Online
http://sunsolve.Sun.COM , infodoc id 14313.
Solaris BSM Auditing, by Darren Moffat
http://www.securityfocus.com/focus/sun/articles/bsmaudit1.html
Solaris Security Guide, Sabernet
http://www.sabernet.net/papers/Solaris.html
Sun Blueprints: Auditing in the Solaris 8 Operating Environment
http://www.sun.com/blueprints/
Seán Boran is an IT security consultant based
in Switzerland and the author of the online IT Security Cookbook.
| © Copyright 2002, Seán .Boran, All Rights Reserved, Last Update: 24 septembre, 2002 |