RE: Audit Explanations

From: Myers, Mike (Mike.Myers@NWDC.IBS-LMCO.com)
Date: 08/16/01 

Message-ID: <F34B3C833DDBD311B77800508B0CB0BF041EAFE9@nwdc02ex>
From: "Myers, Mike" <Mike.Myers@NWDC.IBS-LMCO.com>
To: "'Dariusz Klar'" <Dariusz.Klar@Sun.COM>, "Jeff Leckemby" <Jeff.Leckemby@sptrm.com>
Subject: RE: Audit Explanations
Date: Thu, 16 Aug 2001 07:55:54 -0700

A more direct URL is:

        http://www.samag.com/articles/2000/0013/0013d/0013d.htm

The download is almost at the end of the article.

Cheers,
 - Mike Myers, mike.myers@nwdc.ibs-lmco.com

-----Original Message-----
From: Dariusz Klar [mailto:Dariusz.Klar@Sun.COM]
Sent: August 16, 2001 1:36 AM
To: Jeff Leckemby
Cc: focus-sun@securityfocus.com
Subject: Re: Audit Explanations

Jeff Leckemby wrote:
>
> Greetings All,
>
> I have been reading items from this list server and doing some research on
> Solaris auditing for quite some time in attempts to find information on
the
> meaning behind items written to auditing files in Unix environments, esp.
> Solaris OSs. My basic need is this... is there some reference that
> explains, tells, deciphers what the text in a typical audit record means.
> Granted some are obvious, f.e. chmod and login entries... but others
aren't
> so easily defined. I am familiar with Audit Token Structure, praudit and
> auditreduce, docs.sun.com. etc., but these sources/tools haven't been too
> helpful. If any of you know of where I can look for explanations of
audit
> events I would be truly grateful for your help. I have attached a snippet
> of an audit file below for reference.
>
> header,130,2,unlink(2),,Fri Jun 08 13:50:23 2001, + 889995370 msec
> path,/var/dt/sdtlogin/0 attribute,10600,root,root,136,99494,0
> subject,someuser,root,staff,root,staff,313,312,0 0 someputer
> wreturn,success,0
>
> header,126,2,open(2) - write,trunc,,Fri Jun 08 13:50:23 2001, + 969994228
> msec path,/export/home/someuser/.dt/sessions/lastsession
> subject,someuser,someuser,staff,someuser,staff,313,312,0 0 someputer
> return,success,4
>
> header,115,2,unlink(2),,Fri Jun 08 13:50:23 2001, + 979998030 msec
> path,/export/home/someuser/.Xauthority-n
> subject,someuser,someuser,staff,someuser,staff,313,312,0 0 someputer
> return,failure: No such file or directory,-1
>
> header,148,2,open(2) - write,creat,trunc,,Fri Jun 08 13:50:23 2001, +
> 979998030 msec path,/export/home/someuser/.Xauthority-n
> attribute,100600,someuser,staff,136,16540,0
> subject,someuser,someuser,staff,someuser,staff,313,312,0 0 someputer
> return,success,4
>
> header,170,2,chmod(2),,Fri Jun 08 13:50:23 2001, + 979998030 msec
> argument,2,0x180,new file mode path,/export/home/someuser/.Xauthority-n
> attribute,100600,someuser,staff,136,16540,0
> subject,someuser,someuser,staff,someuser,staff,313,312,0 0 someputer
> return,success,0
>
> Jeff Leckemby 

-- 
You can use bsmviewer, written especially for this purpose. It makes
reading difficult audit logs easier because of graphical interface and
other usefull features (pre selecting, filtering).

You can download it from www.sysadminmag.com

regards,

Darek

Relevant Pages

  • Re: Audit Explanations
    ... Subject: Audit Explanations ... Jeff Leckemby wrote: ... > I have been reading items from this list server and doing some research on ... > subject,someuser,someuser,staff,someuser,staff,313,312,0 0 someputer ...
    (Focus-SUN)
  • Audit Explanations
    ... Subject: Audit Explanations ... I have been reading items from this list server and doing some research on ... Solaris auditing for quite some time in attempts to find information on the ... subject,someuser,someuser,staff,someuser,staff,313,312,0 0 someputer ...
    (Focus-SUN)
  • RE: Audit Explanations
    ... Subject: Audit Explanations ... Per your reply "What parts of the audit records you listed do you not ... On Tue, 14 Aug 2001, Jeff Leckemby wrote: ...
    (Focus-SUN)
  • Re: Audit Explanations
    ... Subject: Audit Explanations ... > explains, tells, deciphers what the text in a typical audit record means. ...
    (Focus-SUN)