Auditing Facilities on Solaris & AIX
From: Surinder Kumar (kumasuri_at_india.hp.com)
Date: 02/10/04
- Next message: Joerg Schilling: "Re: tape drive performing slow with star?"
- Previous message: Zii Ell: "nis plus - user has forgotten their passwd. I can't reset it."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 10 Feb 2004 19:51:11 +0530
Hi all,
I have done comparison of Auditing Facilities on AIX and Solaris.
Can anybody comment on these ?
Have I missed something ?
Thx in Advance.
Regards,
Surinder Kumar
Auditing Facilities on AIX and Solaris
Most commercial UNIX Operating Systems provides C2 Security Level Auditing.
It is implemented in different manner on all UNIX flavors. We describe some
of the auditing features available on all major UNIX flavors in this
document.
1. Enable Auditing Subsystem
ð AIX operates in only standard mode.
ð On Solaris, auditing subsystem can be started only in BSM (Basic
Security Module) mode
Policies
Ø Single mode of operation
Ø Auditing in only BSM Mode
Rate OS by feature
Ø AIX
Ø Solaris
2. Suspend/Resume Auditing
Auditing can be suspended/resumed globally and locally.
ð On AIX, auditing can be suspended/resumed at system level using "audit
off" and "audit on".
ð On Solaris, auditing cannot be suspended.
Policies
Ø Suspend/resume auditing globally (system wide), locally (for process)
Rate OS by feature
Ø AIX
3. Accountability: Login Name/ Audit ID
One of the main principles of security is accountability; that is the
ability to trace actions taken by a user that could have security relevance
1(from sun blueprints). An effective user id cannot be used for
accountability as two login names can have same user id. Every login name
will have a unique value of Audit ID. An audit ID is also called third id,
real UID and effective UID being the first two. It is set during login
authentication and does not change for the duration of the session. Actions
such as su will change the real UID or effective UID but not the audit ID.
ð On AIX, Login Name is used for accountability.
ð On Solaris, Audit ID is used for accountability.
Policies
Ø Login Name
Ø Audit ID
Rate OS by feature
Ø AIX
Ø Solaris
4. Enable Auditing: Events & Users
All UNIX flavors have the ability for auditing selected users and selected
events. The grouping of events is supported by all e.g. classes on AIX &
Solaris.
Common Facilities
Ø User selection for auditing
Ø System call selection
Ø Event selection
Ø Event groups (classes -> Aix/Solaris) selection
ð On Solaris, per-user event selection is implemented using audit_user &
audit_control file with the help of "flags" and "naflags".
ð On AIX, per-user event selection is provided using "users" stanza in
configuration file /etc/security/audit/config.
Policies
Ø Provide system level event selection and per-user event selection.
Ø Provide per-user event selection and that is enough.
Rate OS by feature
Ø Solaris
Ø AIX
5. Enable Auditing: Status of Events
Most auditing system allows logging of data for events for failure of event
or for success of event or for both.
ð On Solaris, logging of events for "Success/Failed/Both" status is
provided using +(success) and -(failure) with events or classes. Default is
for both success and failure.
ð On AIX, always for both(success and failure).
Policies
Ø Logging for success, failure or both (success and failure)
Ø Logging for both success and failure
Rate OS by feature
Ø Solaris
Ø AIX
6. Enable Auditing: for Objects
Auditing of Objects (Files). Read, Write & Execute of file can be audited
through audit objects.
ð On AIX, per-object auditing can be enabled by
/etc/security/audit/objects file
ð On Solaris, per-object auditing is not available
Policies
Ø Auditing of objects (files) for Read, Write, Execute
Rate OS by feature
Ø AIX
7. Enable Auditing: Pre-defined Audit Events/Classes
ð On AIX, Auditing Events and Auditing Classes are classified at very
high level e.g. kernel = PROC_Create, PROC_Delete
ð On Solaris, Auditing Events and Classes are classified at very high
level
Policies
Ø High Level Classes
Ø High Level Event Groups
Ø Events (group of system calls)
Ø System Calls
Rate OS by feature
Ø AIX
Ø Solaris
8. Information Collection
Common Information (AIX)
Event Id, Login Name, Time Record was written, Event Status
ð On AIX, command that triggered the event and real name is also
recorded.
ð On Solaris,
Rate OS by feature
Ø AIX
9. Information Processing: Reducing Binary Data
ð On AIX, audit data in the binary format can be reduced using
auditselect
ð On Solaris, audit data in the binary format can be reduced using
auditreduce
Rate OS by feature
Ø AIX, Solaris
10. Information Processing: Compressing Binary Data
ð On AIX, audit data in the binary format can be compressed. Compression
is done through Huffman encoding.
ð On Solaris,
Rate OS by feature
Ø AIX
11. Disk Auditing and Device Auditing
Disk Auditing (BIN mode) writes data in the binary format to files on disk.
Device Auditing (STREAM mode) writes data in the binary format to device.
ð On AIX, both are available. Kernel writes record to file (BIN)/device
(STREAM)
ð Audit daemon will write data from binary file to trail
ð /dev/audit is device for STREAM mode
ð On Solaris, audit daemon reads data from kernel.
Policies
Ø None
Rate OS by feature
Ø AIX, Solaris
To Do
Ø None
- Next message: Joerg Schilling: "Re: tape drive performing slow with star?"
- Previous message: Zii Ell: "nis plus - user has forgotten their passwd. I can't reset it."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
