SUMMARY: BSM/Auditing

From: Michael Cook (mcook@uswest.com)
Date: Sat Oct 03 1998 - 15:46:13 CDT


Hello all,
    My original post is listed below, I only got 1 reply (thanks Robert
Rose!!) and it gave me a few general pointers regarding the size and
maintaenance partitions and management scripts. No one addressed the pkgchk
errors I received.
    Thanks,
        Michael

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hello all,
    I have a group of Sun Ultra 2's running Solaris 2.5.1 with recommended
patches. I would like to enable auditing on these boxes and have read all
the related man pages and the Answerbook on the Basic Security Module.
    One problem I see is when I did a pkgchk on the packages that the
Answerbook said were required I received a bunch of errors (pasted below).
    These are the steps as I understand them, please feel free to comment,
recommend, etc.

1) Create a dedicated audit file system on 1 server to serve as the primary
NFS-shared audit filesystem for each client. This filesystem should be
shared as /etc/security/audit.
2) Create a local secondary audit file system for each machine in case the
NFS-shared file system is unavailable.
3) Boot into single user mode
4) Run bsmconv
5) Configure the system wide auditing levels, user auditing levels,
warnings, etc.
6) Reboot

    If anyone who has done this has any helpful pointers or even copies of
configs to share, I would greatly appreciate it!!!
        Thanks in advance, and I will summarize,
            Michael Cook

pkgchk errors:

# ~ > pkgchk SUNWcar
ERROR: /platform
    permissions <0755> expected <2755> actual
# ~ > pkgchk SUNWcsr
ERROR: /dev
    permissions <0775> expected <2775> actual
ERROR: /etc
    permissions <0775> expected <2755> actual
ERROR: /etc/auto_master
    file size <94> expected <117> actual
    file cksum <7917> expected <9685> actual
ERROR: /etc/default/init
    file size <459> expected <462> actual
    file cksum <38298> expected <38702> actual
ERROR: /etc/default/login
    file size <1136> expected <1124> actual
    file cksum <26706> expected <25538> actual
ERROR: /etc/device.tab
    file size <1207> expected <2251> actual
    file cksum <37074> expected <59343> actual
ERROR: /etc/dgroup.tab
    file size <360> expected <396> actual
    file cksum <28641> expected <31230> actual
ERROR: /etc/dumpdates
    file size <0> expected <1260> actual
    file cksum <0> expected <8945> actual
ERROR: /etc/group
    file size <278> expected <284> actual
    file cksum <23586> expected <24243> actual
ERROR: /etc/inet/hosts
    file size <46> expected <239> actual
    file cksum <3463> expected <15003> actual
ERROR: /etc/inet/inetd.conf
    group name <sys> expected <other> actual
    file size <4615> expected <4870> actual
    file cksum <11707> expected <31373> actual
ERROR: /etc/inet/netmasks
    file size <567> expected <620> actual
    file cksum <48879> expected <51422> actual
ERROR: /etc/lib
    permissions <0775> expected <2775> actual
ERROR: /etc/mnttab
    file size <0> expected <930> actual
    file cksum <0> expected <5375> actual
ERROR: /etc/net/ticlts/hosts
    file size <65> expected <10> actual
    file cksum <3929> expected <849> actual
ERROR: /etc/net/ticots/hosts
    file size <65> expected <10> actual
    file cksum <3929> expected <849> actual
ERROR: /etc/net/ticotsord/hosts
    file size <65> expected <10> actual
    file cksum <3929> expected <849> actual
ERROR: /etc/nsswitch.conf
    file size <779> expected <581> actual
    file cksum <884> expected <49384> actual
ERROR: /etc/passwd
    file size <445> expected <565> actual
    file cksum <36774> expected <47402> actual
ERROR: /etc/path_to_inst
    permissions <0644> expected <0444> actual
    file size <26> expected <1748> actual
    file cksum <2566> expected <55542> actual
ERROR: /etc/profile
    file cksum <50375> expected <50385> actual
ERROR: /etc/rc0.d
    permissions <0775> expected <2775> actual
ERROR: /etc/rc1.d
    permissions <0775> expected <2775> actual
ERROR: /etc/rc2.d
    permissions <0775> expected <2775> actual
ERROR: /etc/rc2.d/S82mkdtab
    pathname does not exist
    pathname not properly linked to <../../etc/init.d/mkdtab>
ERROR: /etc/rc3.d
    permissions <0775> expected <2775> actual
ERROR: /etc/rcS.d
    permissions <0775> expected <2775> actual
ERROR: /etc/security
    permissions <0755> expected <2755> actual
ERROR: /etc/shadow
    file size <252> expected <324> actual
    file cksum <17245> expected <23330> actual
ERROR: /etc/vfstab
    permissions <0664> expected <0644> actual
    file size <235> expected <656> actual
    file cksum <17390> expected <50435> actual
ERROR: /proc
    permissions <0755> expected <0555> actual
    group name <sys> expected <root> actual
ERROR: /sbin
    permissions <0775> expected <2775> actual
ERROR: /var
    permissions <0775> expected <2775> actual
ERROR: /var/adm/utmp
    file size <0> expected <324> actual
    file cksum <0> expected <14362> actual
ERROR: /var/adm/utmpx
    file size <0> expected <3348> actual
    file cksum <0> expected <15135> actual
ERROR: /var/adm/wtmp
    file size <0> expected <29448> actual
    file cksum <0> expected <6736> actual
ERROR: /var/adm/wtmpx
    file size <0> expected <304296> actual
    file cksum <0> expected <33767> actual
ERROR: /var/log/syslog
    permissions <0664> expected <0644> actual
    group name <sys> expected <other> actual
    file size <0> expected <941> actual
    file cksum <0> expected <8188> actual
ERROR: /var/saf/zsmon/log
    file size <0> expected <19594> actual
    file cksum <0> expected <27081> actual
ERROR: /var/spool/cron/crontabs/root
    permissions <0644> expected <0400> actual
    group name <sys> expected <other> actual
    file size <405> expected <949> actual
    file cksum <31347> expected <10408> actual
ERROR: /var/tmp
    permissions <1777> expected <3777> actual
# ~ > pkgchk SUNWcsu
ERROR: /usr
    permissions <0775> expected <2775> actual
ERROR: /usr/bin
    permissions <0775> expected <2755> actual
ERROR: /usr/demo
    permissions <0775> expected <2755> actual
ERROR: /usr/games
    permissions <0775> expected <2755> actual
ERROR: /usr/kvm
    permissions <0775> expected <2775> actual
ERROR: /usr/lib
    permissions <0775> expected <2755> actual
    owner name <root> expected <bin> actual
ERROR: /usr/lib/security
    permissions <0755> expected <2755> actual
ERROR: /usr/old
    permissions <0775> expected <2775> actual
ERROR: /usr/sbin
    permissions <0775> expected <2775> actual
ERROR: /usr/share
    permissions <0755> expected <2755> actual
ERROR: /usr/share/lib
    permissions <0755> expected <2755> actual
ERROR: /usr/share/lib/tabset
    permissions <0775> expected <0755> actual
ERROR: /usr/share/lib/terminfo
    permissions <0775> expected <2755> actual
ERROR: /usr/share/src
    permissions <0755> expected <2755> actual
# ~ > pkgchk SUNWhea
WARNING: no pathnames were associated with <SUNWhea>



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:50 CDT