Difficulty is an argument that won't wash with Ben Rockwood when it comes to skeptics on the issue of Solaris Auditing (BSM). It is truly a simple process, he argues. The difficulty is that most of the tutorials available on the subject fail to deal adequately with exactly how to make use of auditing data. In a recent post, Rockwood discusses how to make intelligent use of the audit trails that result.

Solaris Auditing, Rockwood writes, is extremely powerful, but audit logs are pointless unless you can generate useful reports and store the data in an accessible and intelligible way. His lengthy post includes abundant code samples that demonstrate the use of BSM.

Rockwood begins with a suggestion for changing the way auditing collects data. Here he emphasizes the importance of using the "+zonename" and "+argv" policies in order see both the commands as they execute as well as the associated arguments.

He explains his recommendation for the use of the "+perzone" policy in order to make audit trails available to users and to exclude users in the global zone who may not want to be audited.

Next, Rockwood discusses the maintenance of audit trails, particularly rotating them to minimize their growth and moving them from an unsecure local system to a safer place, such as a centralized archive location.

In the following section, "Reporting Part 1: The Boring Basics," Rockwood advises against the use of the "auditreduce" command for processing audit trails, which are then moved to "praudit," arguing that it is not necessary to use auditreduce in order to then use praudit. He recommends that users familiarize themselves with the various search options offered by auditreduce(1M).

"Reporting Part 2: XSLT" is the next section of Rockwood's post. Here he recommends using the XSL Transform (XSLT) engine stylesheet to transform an XML document into a more useful format. The section includes abundant code samples. The upshot of this technique, Rockwood writes, is that creating useful HTML reports from audit data is really easy. Parsing out the praudit -s ASCII output isn't really necessary. In addition, XSLT is a helpful tool for creating custom reports. He offers two examples of file transformation:

• Example of Solaris supplied XSLT HTML Transformation

• Example Cuddletech Modified XSLT HTML Transformation

Rockwood follows this with "Reporting Part 3: XML & PERL," where he discusses parsing the XML itself, making it possible to loop the data multiple times to add roll-up statistics, such as a summary of sessions, number of executions, average executions per session. He demonstrates how to use BSM and PERL to create a tool that can print audit trails in a convenient way. He also points out the ease with which a user might, using PERL, see the data in MySQL, PostgreSQL, Oracle or SQLite.

In the last section of the post, "Reporting Part 4: Existing Software," Rockwood reviews briefly BSMgui, BSM Analyzer and SNARE as among the alternatives to BSM.

More Information

I See You: Solaris Auditing (BSM) earlier Rockwood post

Tutorials on Access Control and Auditing in the Solaris 10 OS [...read more...]

From the latest issue:

Recent Blog Entries as of March 18, 2010, 9:58 pm
Oracle Enterprise Manager Ops Center Released Suits and Their Countersuits A More Direct Channel Model Planned for Oracle-Sun Oracle, OpenSolaris, and Solaris Flash Storage in Exadata V2 Cuts Query Processing Time Significantly	Sun Storage 7000 2010.Q1 Quality and Features PSA Deploys GlassFish in the Manufacture of Peugeot, Citroën Vehicles Running VirtualBox VMs as Services in Windows 'Solaris 10 ZFS Essentials' Mobile Desktop Grid
Blog RSS Feed