|
Para configurar la auditoria a nivel C2 de Solaris es necesario
habilitar
el módulo de seguridad
básica o BSM (Basic Security
Module). 1. Asegurarse de que aún no se encuentra habilitado BSM (el siguiente comando no debe devolver ninguna salida): grep c2audit /etc/system 2. Habilitar BSM: /etc/security/bsmconv 3. Revisar que se haya creado el directorio /var/audit: ls -ld /var/audit drwxr-xr-x 2 root sys 512 Jul 12 22:23 /var/audit ls -l /var/audit total 2 -rw------- 1 root root 56 Jul 12 22:23 20050713032312.not_terminated.hostname 4. Configurar en el archivo /etc/security/audit_control las siguientes clases de eventos a ser auditadas: # vi /etc/security/audit_control 5. Crear el script /etc/security/newauditlog.sh: vi /etc/security/newauditlog.sh #!/sbin/sh # # newauditlog.sh - Start a new audit file and expire the old logs PATH=/usr/bin:/usr/sbin # # If the disk space isn't sufficient to retain logs on a month, # lower this value from 30 to 7 AUDIT_EXPIRE=30 AUDIT_DIR="/var/audit" LOG_DIR=/var/audit/logs# Rotate the log file audit -n # Move the log files to the archive directory and compress
for i in `ls ${AUDIT_DIR} | grep -v not_terminated | grep -v logs`
do
compress ${AUDIT_DIR}/${i}
mv ${AUDIT_DIR}/${i}.Z ${LOG_DIR}/${i}.Z
done
# Delete old log files
cd ${AUDIT_DIR} # in case it is a link
find . ${LOG_DIR} -type f -mtime +${AUDIT_EXPIRE} \
-exec rm {} > /dev/null 2>&1 \;
exit 0
6. Configurar la siguiente línea de crontab para el
usuario root:0 0 * * * /etc/security/newauditlog.sh 7. Reiniciar el sistema: /usr/sbin/shutdown -y -g 0 -i 6 8. Los archivos de auditoria generados pueden ser leídos con el comando praudit |
CLEANUP DOS FILES
If you deal with DOS files and the "^M" character
always appears at the end of the line, here are
two ways to get rid of them.
If you edit the DOS text file with the "vi"
editor in UNIX, use the following from the
"vi" command line:
:%s/^V^M//g
From a Unix shell use the command:
% sed 's/^V^M//g' foo > foo.new
NOTE: ^V is control V and ^M is control M or Enter
