Solaris C2/BSM security notes

By Seán Boran (sean at 

This article first appeared as "Tip of the Week" in the Solaris Security Digest. Since then I've added a few updates, links and feedback. It's not by any means a complete reference on BSM.

I've had problems on many Solaris8 boxes- if BSM is switched on, root cron jobs fail.
  1. Ensure that patches for 'c2 audit are installed, e.g.
    108875 SunOS 5.8: c2audit patch, 108876 SunOS 5.8_x86: c2audit patch.
  2. A problem is known to Sun (SRDB ID: 18219). Fix: for each FILE in /var/spool/cron/crontabs, there should also be a So for the root cron to work:
    touch /var/spool/cron/crontabs/
  3. See also the discussion on cronjob return codes, which say that the jobs do in fact run, but the error codes are non zero. This is another problem in my opinion.
  4. 21st June 2001: Nasser Manesh writes in to suggest a fix. I've not yet tested it:
    "If you use ssh when you run crontab to edit cron entries, the file (e.g. is not created correctly because of the default way of switching uid in sshd, and as a result, cron fails to execute the jobs. The workaround is either: 
    1) Enable telnet or console access and do a crontab -e _without_ ssh, or 
    2)  Configure your sshd with "UseLogin" (default is no)." 
  5. Dec 2001: Note that some SSH versions have a security weakness when the "UseLogin" option is enabled. The problem is UNIX not SSH. Make sure your OS has a patched login.

What is SunShield BSM?

Sun deliver a "C2" level auditing system for both SunOS (Sunshield) and Solaris (Sunshield BSM). It is bundled with Solaris 2. BSM allows the actions of specific users to be recorded and written to an audit file. However, the auditing is at the system-call level, meaning huge logs may be generated by simple user actions. Performance is also affected. The standard analysis tools praudit and auditreduce offer no high level analysis of audit trails. Applications may also write to the audit trail.

Reference documentation: "SunShield Basic Security Module Guide" (Standard Solaris 2.x documentation). Man pages: audit(1m), audit_startup(1m), audit_warn(1m), auditconfig(1m), auditreduce(1m), bsmconv(1m).

Enabling and configuring SunShield BSM

Install the audit2info scripts. Francisco Mancardi has published these scripts to make it easier to read the Sun's C2 (SunShield BSM) auditing logs. The scripts and files described here can be downloaded.

Try out audit2info:

First, produce an ASCII file on C2 auditing activity :
cd /opt/audit;
auditreduce | praudit > audit-data.txt

We can now analyse this output in different ways using the "audit2info" script, links are provided to sample results.

Let's make the output from auditreduce | praudit above more readable:
./audit2info audit-data.txt > outfile

Show only activity concerning one username:
./audit2info -u bill audit-data.txt > outfile

Show only login/logout activity:
./audit2info -l ok audit-data.txt > outfile

Show only login failure activity:
./audit2info -l ko audit-data.txt > outfile

Show the complete output from auditreduce |praudit, but filtering out records
that have fields with the string listed in the filter file default "filtro_audit"
./audit2info -f default audit-data.txt > outfile

The above example can be mixed as desired..

Notes using SunShield BSM:

References and other BSM articles:

List of Audit event classes

Implementing C2 Auditing in the Solaris Environment, by Kevin Wenchel and Stephen Michaels

C2 Security Frequently Asked Questions, Sunsolve Online
http://sunsolve.Sun.COM , infodoc id 14313.

Solaris BSM Auditing, by Darren Moffat

Solaris Security Guide, Sabernet

Sun Blueprints: Auditing in the Solaris 8 Operating Environment

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.    

© Copyright 2002, Seán .Boran, All Rights Reserved, Last Update: 24 septembre, 2002