-------------------------O R I G I N A L-----------------------------------
Hello Sun-managers
I am running sun3 machines SunOS 4.1.1 and sun4 machines SunOS 4.1.3
both with C2 security running.
The auditd is running on all machines with the following control file:
dir:/etc/security/audit/zeus/files
flags:-lo,-ad,-p0,-p1
minfree:2
The audit works well and we run the '/usr/etc/praudit' program nightly
to generate a report.
The problem is that many users use cron and every cron job shows up in
the audit report. The cron jobs the users are running are their own
and do not violate any permissions or attempt to do anything they
should not.
In other words the audit daemon is trapping events that are okay.
I tried trimming back the flags but no improvement.
Any ideas? Any patches? Any freeware to intelligently parse the output
of praudit?
Thanks, and yes I will summarize.
-------------------------S U M M A R Y-----------------------------------
It turns out that there is a bug with the last c2 security software for
SunOS 4.1.?. The audit daemon can not handle the security detection for
cron jobs. Sun's position is the bug will not be fixed and they say
to replace the existing c2 security software with their BSM (ie Basic
Security Module) software.
As an alternative I am including the shell script below that will handle
this problem to some extent.
------------------------------------------------------------------------------
Robert J Wolf, Sun System Admin. DCIEM, CFB Toronto
rwolf@dciem.dnd.ca PO Box 2000 1133 Sheppard Avenue West
uunet!csri.toronto.edu!dciem!rwolf North York (Toronto), Ont., Canada M3M 3B9
Internet: 192.16.207.3 Phone: (416)635-2073 FAX: (416)635-2104
"Capitalism with environmental ethics will benefit the entire world."
------------------------------------------------------------------------------
:
# audit_run.sh
#
# Function: To generate an audit report then remove the audit data.
#
#
# Usage: # /usr/local/bin/audit_run.sh
#
# The following cron entry is usually used:
# 0 2 * * * /bin/nice /usr/local/bin/audit_run.sh 2>&1 |
# /usr/ucb/mail -s "`hostname` audit_run.sh" c2-admin
#
# Log: 1993 Sep 22 rwolf First Version
prg=audit_run.sh
ver=1.0
lock_file=/tmp/audit_run.lck
hostname=`hostname`
sleep_delay=15
# abnormal_exit: Abnormal exit of the script
abnormal_exit ()
{
# Remove the lock file
/bin/rm $lock_file
exit 1
}
trap abnormal_exit 1 2 3 15
# auditd_running: Check if the auditd process is running
auditd_running ()
{
count=`ps -aux | grep auditd | grep -v 'grep auditd' | wc -l | tr -d ' '`
case $count in
0)
echo $1
echo ERROR: audit daemon is not running, one will be started
echo ""
/usr/etc/auditd
sleep $sleep_delay
;;
1)
;;
*)
echo ERROR: multiple audit daemon processes are running
echo ""
ps -aux | grep auditd | grep -v 'grep auditd'
echo ""
;;
esac
}
echo `date` starting $prg ver $ver on $hostname
echo ""
# Verify a previous run of this script is not still running
if /usr/local/bin/chk_lock.sh $lock_file $$ root ; then
:
else
exit 1
fi
# Sleep for a unknown time so as not to flood the mail server with so many
# machines all at the same time.
/usr/local/bin/un_delay.sh 0 15 > /dev/null 2>&1
# Check if the audit daemon was running before.
auditd_running "Is audit daemon running at start of script"
# Setup the directory where the audit trace files are located
dir_file=/etc/security/audit/$hostname/files
# Remove any very very old auditing data file
data_file="`find $dir_file -type f -mtime +2 -print -exec /bin/rm -f {} \;`"
if [ "$data_file" != '' ] ; then
echo Removing the following very very old auditing data files
echo $data_file
echo ""
fi
# Remove any very old auditing data file
cd $dir_file
data_file="`ls $dir_file | grep -v 'not_terminated'`"
if [ "$data_file" != '' ] ; then
/bin/rm -f $data_file
echo Removing the following very old auditing data files
echo $data_file
echo ""
fi
# Signal the audit daemon to reread its control file
# (This will cause the audit daemon to flush its buffers, close its files
# and then repopen the next set).
/usr/etc/audit -s
auditd_running "Signalled audit daemon to reread its control file"
sleep $sleep_delay
# Generate the report
data_file=`ls $dir_file | grep -v 'not_terminated'`
if [ "$data_file" = '' ] ; then
echo There is not audit data to generate a audit report
echo ""
echo `date` $hostname $prg done
# Remove the lock file
/bin/rm $lock_file
exit 0
fi
echo Using $data_file to generate audit report
echo ""
echo ""
echo Altered output
/usr/etc/praudit -l < $data_file | \
grep -v '/etc/security/audit/' | \
grep -v ',cron,' | \
tr ',' ' '
#tr ',' '\012'
auditd_running "Is audit daemon running after we generated the audit report"
# Remove the old auditing data file
/bin/rm -f $data_file
# Process all the remote diskless machines
if [ -d /export/root ] ; then
echo `date` starting audit report generation for remote diskless machines
# Loop through the /export/root directory and remotely audit
ls /export/root | egrep -v 'lost\+found|client1|client2|dretor' | \
while read sys ; do
dir_file="/export/root/$sys/etc/security/audit/$sys/files"
cd $dir_file
# Remove any very old auditing data file
data_file="`ls $dir_file | grep -v 'not_terminated'`"
if [ "$data_file" != '' ] ; then
/bin/rm -f $data_file
echo Removing the following very old auditing data files
echo $data_file
echo ""
fi
# Signal the audit daemon to flush its buffers, close
# its files and then reopen the next set
rsh -n $sys /usr/etc/audit -n
sleep $sleep_delay
echo ""
# Generate the report
data_file=`ls $dir_file | grep -v 'not_terminated'`
/usr/etc/praudit -l < $data_file | \
grep -v '/etc/security/audit/' | \
grep -v ',cron,' | \
tr ',' ' '
#tr ',' '\012'
# Remove the old auditing data file
/bin/rm -f $data_file
done
fi
auditd_running "Is audit daemon running after we are all done"
echo ""
echo `date` $hostname $prg done
# Remove the lock file
/bin/rm $lock_file
exit 0
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:08:17 CDT