Manualshelf

User's Manual

ManualsBrandsSolaris ManualsWokSolaris Wok CX-310-301 1
21222324252627282930
Solaris 9 Security CX-310-301 29
Process Accounting
Process accounting is installed as part of a default Solaris 9 installation and, although it is primarily
designed as an accounting tool for billing uses, it also has value as a security monitoring tool. The process
accounting package helps with the following:
¾ Assisiting with the overall security of a system because of the logging facility it provides,
including start and end times of a command being executed as well as the command name and the
terminal name from which it was run
¾ Monitoring the usage of the system in terms of processor, memory and disk usage
¾ Monitoring for performance issues and capacity planning
¾ Troubleshooting a number of system problems, some of which could be as a result of an attack
taking place
¾ Providing additional evidence of when a user was logged in and logged out
Process accounting is a good and useful package, but the following facts should be considered about this
package:
¾ Process accounting is a historical view of what happened, it is not a real-time audit of what’s
going on now
¾ Accounting records are only written once a command being run has completed. For long running
programs, like a password cracker for example, an entry won’t appear in the accounting files until
it’s finished
¾ Accounting contains the name of the program being run, but the program is not validated. If a
spoofed version of the login program was being used for example, this would not be noticed
¾ Accounting records can only be used as part of an investigation after an attack has taken place
Auditing with the Basic Security Module (BSM)
This section looks at auditing the Solaris environment. It describes two main functions, namely recording
events that occur and also managing the allocation and security of devices.
Overview
The daemon process that runs is /usr/sbin/auditd and the configuration files can be found in the
/etc/security directory. The following configuration files are used in the auditing process:
¾ /etc/security/audit_startup – Sets initial policy for the process
¾ /etc/security/audit_control – Controls the type of action to be audited and includes such items as
where the data files are stored and the minimum amount of free disk space that must exist to allow
auditing to continue