[787] in Intrusion Detection Systems
Re: Audit trails
daemon@ATHENA.MIT.EDU (Matthew Archibald)
Sun Dec 1 20:46:38 1996
Date: Wed, 27 Nov 1996 07:54:29 -0800
From: matt@plato.West.Sun.COM (Matthew Archibald)
To: ids@uow.edu.au
Reply-To: ids@uow.edu.au
On Sun, 24 Nov 1996, Tim Walding wrote:
> Actually, AIX has quite good auditing features for Unix. It can include
> quite a bit of detail, including what commands a particular user is using
> and at what time. Almost noone uses the entire auditing features because
> it gives too much information and can slow the system response time noticably.
In general I could get all of the log items mentioned in any
Unix variant with accounting for commands, standard syslog
with a few added filters and file open/close info with
C2 features. (No need to haggle about C2 I am only refering
to the 'C2' functionality 'as shipped' by various vendors and
the Sys-Admins ability to turn the service on for auditing
purposes.
>From Solaris but AIX, HP-UX, Dec-Alpha, Ultrix, FreeBSD etc..
all provide similar functions.
acct, acctdisk, acctdusg, accton, acctwtmp, closewtmp,
utmp2wtmp - overview of accounting and miscellaneous
accounting commands
Solaris for instance provides various tools in /usr/lib/acct
for running accounting and follow-up reporting utilities:
acctcms acctmerg chargefee monacct ptelus.awk utmp2wtmp
acctcon accton ckpacct nulladm remove wtmpfix
acctcon1 acctprc closewtmp prctmp runacct
acctcon2 acctprc1 dodisk prdaily shutacct
acctdisk acctprc2 fwtmp prtacct startup
acctdusg acctwtmp lastlogin ptecms.awk turnacct
For instance:
#ident "@(#)runacct.sh 1.6 94/12/15 SMI" /* SVr4.0 1.9 */
# "nitely accounting shell, should be run from cron (adm) at 4am"
# "does process, connect, disk, and fee accounting"
# "prepares command summaries"
# "shell is restartable and provides reasonable diagnostics"
Example command accounting:
------------------------------
root: ./startup (Turn it on)
root: ls
acctcms acctmerg chargefee monacct ptelus.awk utmp2wtmp
acctcon accton ckpacct nulladm remove wtmpfix
root: lastcomm
ls root pts/4 0.08 secs Wed Nov 27 07:53
startup root pts/4 0.04 secs Wed Nov 27 07:53
rm root pts/4 0.07 secs Wed Nov 27 07:53
rm root pts/4 0.08 secs Wed Nov 27 07:53
rm root pts/4 0.08 secs Wed Nov 27 07:53
turnacct root pts/4 0.06 secs Wed Nov 27 07:53
accton S root pts/4 0.14 secs Wed Nov 27 07:53
root: shutacct (Turn it off)
