Logblog
Log Management & Intelligence For Compliance, Risk Mitigation & Business Continuity
Today LogLogic announced the appoint of Patricia C. Sueltz as Chief Executive Officer (click here for press release). Sueltz brings proven leadership as a veteran technology executive with more than 25 years of executive experience. Sueltz joins LogLogic from SurfControl where she served as CEO and prior to that she has held senior leadership roles at Sun Microsystems, IBM and Salesforce.com.
As LogLogic continues to grow and look towards the next phase as the leader in log management solutions, we are excited and proud to have Pat join the team to lead us into the future. Welcome to LogLogic, Pat!
Following the new "tradition" of posting a security tip of the week (mentioned here, here ; SANS jumped in as well), I decided to follow along and join the initiative.
So, Anton Security Tip of the Day #13: Into the Darkness ... or The Ominous World of Unix Binary Audit Logs
In this tip, we will take a peek at one of the most esoteric areas of logging: Unix binary audit logs. Solaris BSM and Trusted Solaris auditing is the least unknown :-) example of it, even though other Unix vendors have similar auditing capabilities - see this for HP-UX Audit and this for IBM AIX audit. Linux kernel audit is also pretty much the same thing. If you look for information on 'Solaris BSM audit logs' , you'd find plenty of tips on how to enable such logging, a little on how to manage/rotate the log files, a bit on how to survive the resulting data deluge and ALMOST NOTHING on what to do with the log data, which is kinda sad :-) After looking at BSM logs for a while, I developed an opinion that nobody has ever looked at them on a regular basis :-)
So, let's assume you enabled Solaris BSM kernel audit for user "root" and few other "interesting" users (there is no per-object logging in Solaris; other Unix variants do have it) via the following commonly recommended per-user configuration in /etc/security/audit_user:
root:lo,ad,fw:no
anton:all,-all:no
jsmith:all,-all:no
This configuration file pretty much leads to logging of everything that the above listed users do. Now, you have audit files growing like mushrooms in your /var/audit. What good does it give us? First, we need to convert the binary audit files into text - something along the lines of
# auditreduce -A /var/audit/20071127193515.not_terminated.SunUltra10 | praudit -l > /tmp/sol_box_11272007
will do. Now what? In this tip we will pick one thing to use these logs for: how use them to see who is trying to copy sensitive files off the system.
First, who is connecting out - lets's search the logs for 'connect' calls (if you are using LogLogic for it, use Index Search for this task; if not, grep will have to do, but be prepared to wait, possibly a looooooooooooong time :-)). A few recommended searches: