Re: Audit Explanations

From: Dariusz Klar (Dariusz.Klar@Sun.COM)
Date: 08/16/01


Message-ID: <3B7B85E5.B62349D4@Sun.COM>
Date: Thu, 16 Aug 2001 10:35:49 +0200
From: Dariusz Klar <Dariusz.Klar@Sun.COM>
To: Jeff Leckemby <Jeff.Leckemby@sptrm.com>
Subject: Re: Audit Explanations

Jeff Leckemby wrote:
>
> Greetings All,
>
> I have been reading items from this list server and doing some research on
> Solaris auditing for quite some time in attempts to find information on the
> meaning behind items written to auditing files in Unix environments, esp.
> Solaris OSs. My basic need is this... is there some reference that
> explains, tells, deciphers what the text in a typical audit record means.
> Granted some are obvious, f.e. chmod and login entries... but others aren't
> so easily defined. I am familiar with Audit Token Structure, praudit and
> auditreduce, docs.sun.com. etc., but these sources/tools haven't been too
> helpful. If any of you know of where I can look for explanations of audit
> events I would be truly grateful for your help. I have attached a snippet
> of an audit file below for reference.
>
> header,130,2,unlink(2),,Fri Jun 08 13:50:23 2001, + 889995370 msec
> path,/var/dt/sdtlogin/0 attribute,10600,root,root,136,99494,0
> subject,someuser,root,staff,root,staff,313,312,0 0 someputer
> wreturn,success,0
>
> header,126,2,open(2) - write,trunc,,Fri Jun 08 13:50:23 2001, + 969994228
> msec path,/export/home/someuser/.dt/sessions/lastsession
> subject,someuser,someuser,staff,someuser,staff,313,312,0 0 someputer
> return,success,4
>
> header,115,2,unlink(2),,Fri Jun 08 13:50:23 2001, + 979998030 msec
> path,/export/home/someuser/.Xauthority-n
> subject,someuser,someuser,staff,someuser,staff,313,312,0 0 someputer
> return,failure: No such file or directory,-1
>
> header,148,2,open(2) - write,creat,trunc,,Fri Jun 08 13:50:23 2001, +
> 979998030 msec path,/export/home/someuser/.Xauthority-n
> attribute,100600,someuser,staff,136,16540,0
> subject,someuser,someuser,staff,someuser,staff,313,312,0 0 someputer
> return,success,4
>
> header,170,2,chmod(2),,Fri Jun 08 13:50:23 2001, + 979998030 msec
> argument,2,0x180,new file mode path,/export/home/someuser/.Xauthority-n
> attribute,100600,someuser,staff,136,16540,0
> subject,someuser,someuser,staff,someuser,staff,313,312,0 0 someputer
> return,success,0
>
> Jeff Leckemby

-- 
You can use bsmviewer, written especially for this purpose. It makes
reading difficult audit logs easier because of graphical interface and
other usefull features (pre selecting, filtering).

You can download it from www.sysadminmag.com

regards,

Darek



Relevant Pages

  • Audit Explanations
    ... Subject: Audit Explanations ... I have been reading items from this list server and doing some research on ... Solaris auditing for quite some time in attempts to find information on the ... subject,someuser,someuser,staff,someuser,staff,313,312,0 0 someputer ...
    (Focus-SUN)
  • RE: Audit Explanations
    ... Subject: Audit Explanations ... Jeff Leckemby wrote: ... > subject,someuser,someuser,staff,someuser,staff,313,312,0 0 someputer ...
    (Focus-SUN)
  • RE: Audit Explanations
    ... Subject: Audit Explanations ... Per your reply "What parts of the audit records you listed do you not ... On Tue, 14 Aug 2001, Jeff Leckemby wrote: ...
    (Focus-SUN)