RE: Audit Explanations

From: Leckemby Jeffrey M Contr ACC/INSC (SPECTRUM) (jeffrey.leckemby@langley.af.mil)
Date: 08/14/01 

Message-ID: <9626BB915076D51183370003474E0E7502686C5C@lfi-ms-693-02.langley.af.mil>
From: "Leckemby Jeffrey M Contr ACC/INSC (SPECTRUM)" <jeffrey.leckemby@langley.af.mil>
To: "'Darren J Moffat'" <darrenm@eng.sun.com>, Jeff Leckemby <Jeff.Leckemby@sptrm.com>
Subject: RE: Audit Explanations
Date: Tue, 14 Aug 2001 13:34:34 -0400

My intention is not to be curt, but let's take one from those presented
previously and attempt to define what it is telling you. What is happinging
in the computer [someputer] that caused this transaction.

header,148,2,open(2) - write,creat,trunc,,Fri Jun 08 13:50:23 2001, +
979998030 msec path,/export/home/someuser/.Xauthority-n
attribute,100600,someuser,staff,136,16540,0
subject,someuser,someuser,staff,someuser,staff,313,312,0 0 someputer
return,success,4

Per your reply "What parts of the audit records you listed do you not
understand ?
        
          What is: 148,2,
                and: .Xauthority-n attribute,100600
                and: 313,312,0 0
                and: return,success,4

What is it you are trying to achieve ?"
        
                I am trying to decipher the audit log to determine what is
happening in the machine at any given time. The best example would be, if
you have a computer related security incident... (I understand this may be a
bit broad)... but how might this appear in an audit log.

Jeff Leckemby

-----Original Message-----
From: Darren J Moffat [mailto:darrenm@eng.sun.com]
Sent: Tuesday, August 14, 2001 1:08 PM
To: Jeff Leckemby
Cc: focus-sun@securityfocus.com; Jml Langley (E-mail)
Subject: Re: Audit Explanations

On Tue, 14 Aug 2001, Jeff Leckemby wrote:

> explains, tells, deciphers what the text in a typical audit record means.
> Granted some are obvious, f.e. chmod and login entries... but others
aren't
> so easily defined. I am familiar with Audit Token Structure, praudit and
> auditreduce, docs.sun.com. etc., but these sources/tools haven't been too
> helpful. If any of you know of where I can look for explanations of
audit
> events I would be truly grateful for your help. I have attached a snippet
> of an audit file below for reference.

You need to be a lot more specific in what you want to know.

What parts of the audit records you listed do you not understand ?
What is it you are trying to achieve ? 

--
Darren J Moffat

Relevant Pages

  • RE: Audit Explanations
    ... Subject: Audit Explanations ... Jeff Leckemby wrote: ... > subject,someuser,someuser,staff,someuser,staff,313,312,0 0 someputer ...
    (Focus-SUN)
  • Re: Audit Explanations
    ... Subject: Audit Explanations ... > explains, tells, deciphers what the text in a typical audit record means. ...
    (Focus-SUN)
  • Re: Auditing in SQL Server 2005 - Need Help
    ... Server 2000/VB6 to SQL Server 2005/VB.Net. ... meaningful audit information to the user. ... Generate audit records for all defined events, ... system resource or when auditing has been ...
    (microsoft.public.sqlserver.security)
  • Auditing in SQL Server 2005 - Need Help
    ... We are currently looking at providing comprehensive audit support for our ... Server 2000/VB6 to SQL Server 2005/VB.Net. ... Generate audit records for all defined events, ... Raise alarms whenever a threshold is reached with respect to an auditing ...
    (microsoft.public.sqlserver.security)
  • Re: Audit Explanations
    ... Subject: Audit Explanations ... Jeff Leckemby wrote: ... > I have been reading items from this list server and doing some research on ... > subject,someuser,someuser,staff,someuser,staff,313,312,0 0 someputer ...
    (Focus-SUN)