Para configurar la auditoria a nivel C2 de Solaris es necesario
habilitar
el módulo de seguridad
básica o BSM (Basic Security
Module). 1. Asegurarse de que aún no se encuentra habilitado BSM (el siguiente comando no debe devolver ninguna salida): grep c2audit /etc/system 2. Habilitar BSM: /etc/security/bsmconv 3. Revisar que se haya creado el directorio /var/audit: ls -ld /var/audit drwxr-xr-x 2 root sys 512 Jul 12 22:23 /var/audit ls -l /var/audit total 2 -rw------- 1 root root 56 Jul 12 22:23 20050713032312.not_terminated.hostname 4. Configurar en el archivo /etc/security/audit_control las siguientes clases de eventos a ser auditadas: # vi /etc/security/audit_control 5. Crear el script /etc/security/newauditlog.sh: vi /etc/security/newauditlog.sh #!/sbin/sh # # newauditlog.sh - Start a new audit file and expire the old logs PATH=/usr/bin:/usr/sbin # # If the disk space isn't sufficient to retain logs on a month, # lower this value from 30 to 7 AUDIT_EXPIRE=30 AUDIT_DIR="/var/audit" LOG_DIR=/var/audit/logs# Rotate the log file audit -n # Move the log files to the archive directory and compress for i in `ls ${AUDIT_DIR} | grep -v not_terminated | grep -v logs` do compress ${AUDIT_DIR}/${i} mv ${AUDIT_DIR}/${i}.Z ${LOG_DIR}/${i}.Z done # Delete old log files cd ${AUDIT_DIR} # in case it is a link find . ${LOG_DIR} -type f -mtime +${AUDIT_EXPIRE} \ -exec rm {} > /dev/null 2>&1 \; exit 06. Configurar la siguiente línea de crontab para el usuario root: 0 0 * * * /etc/security/newauditlog.sh 7. Reiniciar el sistema: /usr/sbin/shutdown -y -g 0 -i 6 8. Los archivos de auditoria  generados pueden ser leídos con el comando praudit |
FIND OPEN TCP PORTS AND PIDs
PCP script to find open TCP ports and PIDs in Solaris
PCP is a script that can help you quickly find Processes (PIDs)
having particular TCP Port(s) open, TCP ports open by specific PIDs
or even list all the TCP Ports open by all PIDs running on your system.
PIDs for TCP Port
Run PCP with "-p" option to show the PIDs of processes having a
TCP port (say Port 22)
Example:
test@mx3 # ksh "pcp.ksh" -p 22
PID Process Name and Port
_________________________________________________________
26308 sshd 22
sockname: AF_INET 10.0.0.7 port: 22
sockname: AF_INET 10.0.0.7 port: 22
sockname: AF_INET 10.0.0.7 port: 22
_________________________________________________________
TCP Ports open by PIDs
Run PCP with "-P" option to show the TCP ports open by specific PID
PIDs for all open TCP Ports
Use the "-a" option to list all TCP ports open with all the PIDs
Many thanks for this Script Sam Nelson and Daniel Trinkle trinkle