Web hosting
Ver »
Páginas Web
Ver »
Soporte UNIX
Ver »
Ver »

Basic Security Module (BSM)

Para configurar la auditoria a nivel C2 de Solaris es necesario habilitar el  módulo  de  seguridad  básica  o  BSM  (Basic  Security  Module). 

1.  Asegurarse  de  que  aún  no  se  encuentra  habilitado  BSM  (el siguiente comando no debe devolver ninguna salida): grep c2audit /etc/system

2.  Habilitar BSM:
This script is used to enable the Basic Security Module (BSM).
Shall we continue with the conversion now? [y/n] y
bsmconv: INFO: checking startup file. bsmconv: INFO: move aside /etc/rc3.d/S81volmgt. bsmconv: INFO: turning on audit module. bsmconv: INFO: initializing device allocation files. The Basic Security Module is ready. If there were any errors, please fix them now. Configure BSM by editing files located in /etc/security. Reboot this system now to come up with BSM enabled.

3.  Revisar que se haya creado el directorio /var/audit:
ls -ld /var/audit
drwxr-xr-x   2 root      sys           512 Jul 12 22:23 /var/audit
ls -l /var/audit
total 2
-rw-------            1    root                    root                                        56    Jul    12    22:23

4.  Configurar   en   el   archivo   /etc/security/audit_control   las siguientes clases de eventos a ser auditadas:
# vi /etc/security/audit_control
dir:/var/audit flags:lo,ad naflags:lo,ad # #    lo - login/logout events #    ad - administrative actions: mount, exportfs, etc. #    pc - process operations: fork, exec, exit, etc. #    fc - file creation #    fd - file deletion #    fm - change of object attributes: chown, flock, etc

5.  Crear el script /etc/security/
vi /etc/security/


# - Start a new audit file and expire the old logs

# If the disk space isn't sufficient to retain logs on a month, # lower
this value from 30 to 7



# Rotate the log file audit -n

# Move the log files to the archive directory and compress

for i in `ls ${AUDIT_DIR} | grep -v not_terminated | grep -v logs`
compress ${AUDIT_DIR}/${i}
mv ${AUDIT_DIR}/${i}.Z ${LOG_DIR}/${i}.Z

# Delete old log files

cd ${AUDIT_DIR} # in case it is a link
find . ${LOG_DIR} -type f -mtime +${AUDIT_EXPIRE} \
-exec rm {} > /dev/null 2>&1 \;
exit 0

chmod 500 /etc/security/
6.  Configurar la siguiente línea de crontab para el usuario root:
0 0 * * * /etc/security/

7.  Reiniciar el sistema:
/usr/sbin/shutdown -y -g 0 -i 6

8.  Los  archivos  de  auditoria  generados  pueden  ser  leídos  con  el comando praudit


Random TIPS

There is a way to disable any new login attempts into a system. This can be achieved by simply creating a file called /etc/nologin.
It can have a null file size or a message can be placed into the file informing the status of the system. If a user attempts to login remotely, a message will display with contents of the /etc/nologin file, and then disconnect the user.
However, ftp connections are not affected by this, if ftpd is running.

free counters