BSM and syslog are very different, as Robert has pointed out. BSM has been used by some to create host based Intrustion Detection Systems (See ASAXC, good luck finding it). Just wanted to add that you do not HAVE to use Sun's tools to view the audit trail. They do ship a tool, praudit, but I've found that it is very slow. You are probably better off doing what we've done, and write your own parser. They include the header files so you can determine the structure of the audit file and easily whip up some C code.
Good luck and I hope you enjoy BSM.
________________________________
From: Robert Escue [mailto:roescue (at) cox (dot) net [email concealed]]
Sent: Fri 7/8/2005 5:06 AM
To: Simone Vernacchia
Cc: focus-sun (at) securityfocus (dot) com [email concealed]
Subject: Re: BSM and syslog... why should I consider the first?
Simone Vernacchia wrote:
>Hello everyone,
>
>I'm working on a Security program for a large infrastructure.
>I have to deal with Sun Solaris, and I was wondering why I should
>consider logging via BSM and not syslog.
>System admins have a good knowledge of syslog, and I can standardize
>logging in different UNIX OSes easily if I use it.
>Is there some breaking feature which could make me prefer BSM?
>Is there a reason to use syslog and BSM?
>
>Thanks in advance,
>G0k
>
>
>
>
>
Simone,
BSM is auditing for Solaris, not logging. If you wanted your machine(s)
to be C2/EAL4 compliant and wanted to have a trail of what users did on
that machine, you would enable BSM. The detractors are increased CPU
utilization, preferably having a dedicated partition to write the audit
data to (depending on activity level it could be large) and the audit
trail can only be read using Sun's tools (except for Solaris 10 which
has other options).
BSM and syslog are very different, as Robert has pointed out. BSM has been used by some to create host based Intrustion Detection Systems (See ASAXC, good luck finding it). Just wanted to add that you do not HAVE to use Sun's tools to view the audit trail. They do ship a tool, praudit, but I've found that it is very slow. You are probably better off doing what we've done, and write your own parser. They include the header files so you can determine the structure of the audit file and easily whip up some C code.
Good luck and I hope you enjoy BSM.
________________________________
From: Robert Escue [mailto:roescue (at) cox (dot) net [email concealed]]
Sent: Fri 7/8/2005 5:06 AM
To: Simone Vernacchia
Cc: focus-sun (at) securityfocus (dot) com [email concealed]
Subject: Re: BSM and syslog... why should I consider the first?
Simone Vernacchia wrote:
>Hello everyone,
>
>I'm working on a Security program for a large infrastructure.
>I have to deal with Sun Solaris, and I was wondering why I should
>consider logging via BSM and not syslog.
>System admins have a good knowledge of syslog, and I can standardize
>logging in different UNIX OSes easily if I use it.
>Is there some breaking feature which could make me prefer BSM?
>Is there a reason to use syslog and BSM?
>
>Thanks in advance,
>G0k
>
>
>
>
>
Simone,
BSM is auditing for Solaris, not logging. If you wanted your machine(s)
to be C2/EAL4 compliant and wanted to have a trail of what users did on
that machine, you would enable BSM. The detractors are increased CPU
utilization, preferably having a dedicated partition to write the audit
data to (depending on activity level it could be large) and the audit
trail can only be read using Sun's tools (except for Solaris 10 which
has other options).
Hope this helps.
Robert Escue
System Administrator
[ reply ]