BSM可用于Solaris审计。从Solaris10开始,BSM又新增加了一个plugin的功能,可以把审计结果发送给syslog。以下是BSM启用方法。
1、执行脚本启动审计服务
root@solora11g # cd /etc/security
root@solora11g # ./bsmconv
This script is used to enable the Basic Security Module (BSM).
Shall we continue with the conversion now? [y/n] y
bsmconv: INFO: checking startup file.
bsmconv: INFO: turning on audit module.
bsmconv: INFO: initializing device allocation.The Basic Security Module is ready.
If there were any errors, please fix them now.
Configure BSM by editing files located in /etc/security.
Reboot this system now to come up with BSM enabled.
2、修改audit_control文件
root@solora11g # vi /etc/security/audit_control
dir:/var/audit
flags:lo,ex,am,cl,fc,fd,fm,pc,ss,ua
minfree:20
naflags:lo
plugin:name=audit_syslog.so.1;p_flags=lo,ex,am,cl,fc,fd,fm,fr,fw,pc,ss,ua
其中plugin部分指定将audit信息发送到syslog。p_flags用于过滤发给syslog的信息,只有p_flags指定的审计类信息才发送到syslog.
3、修改syslog.conf文件,增加audit信息
在syslog.conf文件中增加以下条目
audit.notice /var/adm/auditlog
创建auditlog文件
root@solora11g # touch /var/adm/auditlog
4、刷新system-log服务,让syslog.conf修改生效
root@solora11g # svcadm refresh system-log
5、修改logadm.conf,
在logadm.conf文件中增加以下条目
/var/adm/auditlog -C 8 -a 'kill -HUP `cat /var/run/syslog.pid`'
6、重启solaris
附注:
- BSM启用后,系统会自动加载c2audit内核模块
root@solora11g # modinfo | grep -i audit
46 fffffffff7918000 17d90 186 1 c2audit (C2 system call)
- 检查BSM是否启用
root@solora11g # auditconfig -getcond
audit condition = auditing如果结果为audit condition = auditing 表示BSM已启用
- 修改audit_control后,让修改生效的方法
方法一:
root@solora11g # audit –s
方法二:
root@solora11g # svcadm refresh auditd
- 停止BSM
root@solora11g # ./bsmunconv
root@solora11g # shutdown –i6 –g0 –y
执行bsmunconv并重启后,solaris将不再加载c2audit内核模块,此时将无法enable auditd服务,如下所示
root@solora11g # modinfo | grep -i audit
未加载c2audit内核模块
root@solora11g # svcs -a | grep -i audit
disabled 14:39:02 svc:/system/auditd:default
root@solora11g # svcadm enable auditd
root@solora11g # svcs -a | grep -i audit
maintenance 14:43:44 svc:/system/auditd:defaultroot@solora11g # more /var/svc/log/system-auditd:default.log
……
[ Oct 23 14:43:44 Executing start method ("/lib/svc/method/svc-auditd") ]
[ Oct 23 14:43:44 Method "start" exited with status 98 ]……
此时启用auditd服务的话,系统会将auditd服务标识为maintenance状态。具体原因参见/lib/svc/method/svc-auditd脚本