Servicios

Web hosting
Ver »
Páginas Web
Ver »
Soporte UNIX
Ver »
UNIX TIPS
Ver »

Basic Security Module (BSM)

Para configurar la auditoria a nivel C2 de Solaris es necesario habilitar el  módulo  de  seguridad  básica  o  BSM  (Basic  Security  Module). 

1.  Asegurarse  de  que  aún  no  se  encuentra  habilitado  BSM  (el siguiente comando no debe devolver ninguna salida): grep c2audit /etc/system

2.  Habilitar BSM:
/etc/security/bsmconv

This script is used to enable the Basic Security Module (BSM).

Shall we continue with the conversion now? [y/n] y

bsmconv: INFO: checking startup file.
bsmconv: INFO: move aside /etc/rc3.d/S81volmgt.
bsmconv: INFO: turning on audit module.
bsmconv: INFO: initializing device allocation files.

The Basic Security Module is ready.
If there were any errors, please fix them now.
Configure BSM by editing files located in /etc/security.

Reboot this system now to come up with BSM enabled.

3.  Revisar que se haya creado el directorio /var/audit:
ls -ld /var/audit
drwxr-xr-x   2 root      sys           512 Jul 12 22:23 /var/audit
ls -l /var/audit
total 2
-rw-------            1    root                    root                                        56    Jul    12    22:23
20050713032312.not_terminated.hostname

4.  Configurar   en   el   archivo   /etc/security/audit_control   las siguientes clases de eventos a ser auditadas:
# vi /etc/security/audit_control


dir:/var/audit
flags:lo,ad
naflags:lo,ad
#
#    lo - login/logout events
#    ad - administrative actions: mount, exportfs, etc.
#    pc - process operations: fork, exec, exit, etc.
#    fc - file creation
#    fd - file deletion
#    fm - change of object attributes: chown, flock, etc

5.  Crear el script /etc/security/newauditlog.sh:
vi /etc/security/newauditlog.sh

#!/sbin/sh

#
# newauditlog.sh - Start a new audit file and expire the old logs

PATH=/usr/bin:/usr/sbin
#
# If the disk space isn't sufficient to retain logs on a month, # lower
this value from 30 to 7

AUDIT_EXPIRE=30 

AUDIT_DIR="/var/audit"

LOG_DIR=/var/audit/logs
# Rotate the log file audit -n

# Move the log files to the archive directory and compress

for i in `ls ${AUDIT_DIR} | grep -v not_terminated | grep -v logs`
do
compress ${AUDIT_DIR}/${i}
mv ${AUDIT_DIR}/${i}.Z ${LOG_DIR}/${i}.Z
done

# Delete old log files

cd ${AUDIT_DIR} # in case it is a link
find . ${LOG_DIR} -type f -mtime +${AUDIT_EXPIRE} \
-exec rm {} > /dev/null 2>&1 \;
exit 0


chmod 500 /etc/security/newauditlog.sh
6.  Configurar la siguiente línea de crontab para el usuario root:
0 0 * * * /etc/security/newauditlog.sh

7.  Reiniciar el sistema:
/usr/sbin/shutdown -y -g 0 -i 6

8.  Los  archivos  de  auditoria  generados  pueden  ser  leídos  con  el comando praudit

Regresar

Random TIPS

KEEP THE USERS OFF WITH NOLOGIN
There is a way to disable any new login attempts into a system. This can be achieved by simply creating a file called /etc/nologin.
It can have a null file size or a message can be placed into the file informing the status of the system. If a user attempts to login remotely, a message will display with contents of the /etc/nologin file, and then disconnect the user.
However, ftp connections are not affected by this, if ftpd is running.

free counters