Audit Explanations
From: Jeff Leckemby (Jeff.Leckemby@sptrm.com)Date: 08/14/01
- Previous message: Neil Dickey: "RE: SunScreen Lite vs. IPF."
- Next in thread: Darren J Moffat: "Re: Audit Explanations"
- Reply: Darren J Moffat: "Re: Audit Explanations"
- Reply: Leckemby Jeffrey M Contr ACC/INSC (SPECTRUM): "RE: Audit Explanations"
- Reply: Darren Moffat: "RE: Audit Explanations"
- Reply: Leckemby Jeffrey M Contr ACC/INSC (SPECTRUM): "RE: Audit Explanations"
- Reply: Dariusz Klar: "Re: Audit Explanations"
- Reply: Myers, Mike: "RE: Audit Explanations"
- Reply: Peter.Havens@Level3.com: "RE: Audit Explanations"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <1F0AC6C0DDECD41193A300B0D079F86C120C9B@h-fs-1.sptrm.com> From: Jeff Leckemby <Jeff.Leckemby@sptrm.com> To: focus-sun@securityfocus.com Subject: Audit Explanations Date: Tue, 14 Aug 2001 08:20:03 -0400
Greetings All,
I have been reading items from this list server and doing some research on
Solaris auditing for quite some time in attempts to find information on the
meaning behind items written to auditing files in Unix environments, esp.
Solaris OSs. My basic need is this... is there some reference that
explains, tells, deciphers what the text in a typical audit record means.
Granted some are obvious, f.e. chmod and login entries... but others aren't
so easily defined. I am familiar with Audit Token Structure, praudit and
auditreduce, docs.sun.com. etc., but these sources/tools haven't been too
helpful. If any of you know of where I can look for explanations of audit
events I would be truly grateful for your help. I have attached a snippet
of an audit file below for reference.
header,130,2,unlink(2),,Fri Jun 08 13:50:23 2001, + 889995370 msec
path,/var/dt/sdtlogin/0 attribute,10600,root,root,136,99494,0
subject,someuser,root,staff,root,staff,313,312,0 0 someputer
wreturn,success,0
header,126,2,open(2) - write,trunc,,Fri Jun 08 13:50:23 2001, + 969994228
msec path,/export/home/someuser/.dt/sessions/lastsession
subject,someuser,someuser,staff,someuser,staff,313,312,0 0 someputer
return,success,4
header,115,2,unlink(2),,Fri Jun 08 13:50:23 2001, + 979998030 msec
path,/export/home/someuser/.Xauthority-n
subject,someuser,someuser,staff,someuser,staff,313,312,0 0 someputer
return,failure: No such file or directory,-1
header,148,2,open(2) - write,creat,trunc,,Fri Jun 08 13:50:23 2001, +
979998030 msec path,/export/home/someuser/.Xauthority-n
attribute,100600,someuser,staff,136,16540,0
subject,someuser,someuser,staff,someuser,staff,313,312,0 0 someputer
return,success,4
header,170,2,chmod(2),,Fri Jun 08 13:50:23 2001, + 979998030 msec
argument,2,0x180,new file mode path,/export/home/someuser/.Xauthority-n
attribute,100600,someuser,staff,136,16540,0
subject,someuser,someuser,staff,someuser,staff,313,312,0 0 someputer
return,success,0
Jeff Leckemby
- Previous message: Neil Dickey: "RE: SunScreen Lite vs. IPF."
- Next in thread: Darren J Moffat: "Re: Audit Explanations"
- Reply: Darren J Moffat: "Re: Audit Explanations"
- Reply: Leckemby Jeffrey M Contr ACC/INSC (SPECTRUM): "RE: Audit Explanations"
- Reply: Darren Moffat: "RE: Audit Explanations"
- Reply: Leckemby Jeffrey M Contr ACC/INSC (SPECTRUM): "RE: Audit Explanations"
- Reply: Dariusz Klar: "Re: Audit Explanations"
- Reply: Myers, Mike: "RE: Audit Explanations"
- Reply: Peter.Havens@Level3.com: "RE: Audit Explanations"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
