RE: BSM Audit Records
From: Small, Jim (jim.small_at_eds.com)
To: email@example.com Date: Tue, 20 May 2003 15:34:03 -0400
I know about the docs.sun.com reference. Specifically, just like you said,
it covers the terminal ID:
For device numbers:
32-bit applications: 4-byte device number, 4-bytes unused
64-bit applications: 8-byte device number, 4-bytes unused
For port numbers in the Solaris 7 release or earlier releases:
32-bit applications: 4-byte port number, 4-byte IP address
64-bit applications: 8-byte port number, 4-byte IP address
For port numbers in the Solaris 8 or 9 releases:
32-bit with IPV4: 4-byte port number, 4-byte IP type, 4-byte IP address
32-bit with IPV6: 4-byte port number, 4-byte IP type, 16-byte IP address
64-bit with IPV4: 8-byte port number, 4-byte IP type, 4-byte IP address
64-bit with IPV6: 8-byte port number, 4-byte IP type, 16-byte IP address
This doesn't completely clear things up for me though. Perhaps an example
would be better. If I am parsing login/logout (lo) records in my "short"
form, I might see something like this (truncated for clarity):
+ftp access for root from 8197 21 host1.dom1.com on Wed 07 May 2003...
+login - local for root from 0 0 192.168.128.95 on Mon 12 May 2003...
+login - telnet for root from 419 23 192.168.145.35 on Mon 12 May 2003...
+login - ssh for root from 0 1447 host1.dom1.com on Tue 20 May 2003...
Here we have 4 types of access:
ftp, dtlogin, telnet, and ssh (All on Solaris 9 12/02)
If I do a file on ftp, dtlogin, telnet, and ssh, I can determine that they
are all 32bit apps:
ELF 32-bit MSB executable SPARC Version 1, dynamically linked, [not]
Therefore, all of these except for dtlogin should be giving me a 4-byte port
number, and 4-byte IP type, and a 4-byte IP address.
The 4-byte IP is obvious.
I don't know what the 4-byte IP type is.
I'm not sure what the 4-byte port number is. Is this 2 bytes for the local
port and 2 bytes for the remote port? How does praudit interpret this?
Now dtlogin, since you are logging in via the console, I'm not sure what you
should expect and you get 0 0.
For the other 3, I connected to the Solaris 9 box and using netstat detected
the ports on the local and remote end.
For ftp, 8197 21, I'm not sure how to parse this. Is 21 the local port? If
so, then what's 8197? It does not correspond with the remote port. I tried
converting the numbers to hex and then adding/removing digits to see if some
combination would yield the remote port number, but no dice.
For telnet, 419 23, it's the same story. 23 could be the local port, but
what is 419? Also, this is not consistent with the documentation which
states a 4-byte port number, especially because see below with ssh.
For ssh, 0 1447, 1447 is the remote port, and 22 is the local. This seems
to contradict the logic displayed by telnet and ftp earlier. So I don't
know how I should interpret the port numbers.
Is there more documentation somewhere or an example program? Is this just a
problem with using praudit?
Any advice or pointers would be greatly appreciated.
Heck Darren, I'm in the Detroit Area Sun Technologies User Group, let me
know who maintains BSM/auditd and maybe my local Sun friends can get them to
speak at our group!