Security Audit

• Security Auditing
• Solaris SunSHIELD Basic Security Module
• Trusted Solaris Audit Administration
• Documentation
  • Online documentation
  • Sun BluePrints OnLine Security Articles
  • Other Documents
• Tools
  • SRI International EMERALD eXpert-BSM

Security Auditing

Security auditing is the formal examination and review of actions taken by system users. This process is necessary to determine the effectiveness of existing security controls, watch for system misuse or abuse by users, verify compliance with current security policies, capture evidence of the commission of a crime (computer or non-computer related), validate that documented procedures are followed, and the detection of anomalies or intrusions. Effective auditing requires that the correct data to be recorded and that is undergoes periodic review.

In order to provide individual user accountability, the computing system must be able be correctly identify and authenticate each user. This is the distinguishing factor between system log data and user audit data. Log data, captured by syslogd for example, is typically generated by system processes and daemons that report significant events or information. It does not correspond to specific user actions, nor is it directly traceable to a specific user. Audit data generated by the system corresponds directly to recorded actions taken by identifiable and authenticated users, associated under a unique audit identifier (audit ID). Additionally, all processes associated with a user must inherit the audit ID. If the user assumes a role for additional privilege those actions must also be tracked under the same audit ID. All the audit information gathered must be sufficient for an after-the-fact investigation. In a sense, audit data is the complete recorded history of a system user.

Once the audit data is recorded, it must be reviewed on a regular basis in order to maintain effective operational security. Administrators that review the audit data must watch for events that may signify misuse or abuse of the system and user privileges or intrusions. Some examples include:

• accessing files requiring higher privilege
• killing system processes
• opening a different user's files, mail, etc.
• probing the system
• installing of unauthorized, potentially damaging software (backdoors, Trojan Horses, etc.)
• exploiting a security vulnerability to gain higher or different privileges
• modifying or deleting sensitive information

In order to provide Sun customers with the ability to effectively audit user actions on their Sun systems, the Solaris and Trusted Solaris Operating Environments provide superior audit subsystems. These audit mechanisms generate, maintain, and protect an audit trail for individual user accountability. Sun customers now have the necessary tools to monitor their Solaris computing environment in accordance with organizational security policy and any regulatory requirements.

Solaris SunSHIELD Basic Security Module (BSM)

The included Solaris audit subsystem is called the SunSHIELD Basic Security Module or more commonly "BSM". The Solaris 8 Operating Environment certified at Evaluated Assurance Level 4 (EAL4) of the Controlled Access Protection Profile (CAPP) of the Common Criteria IT security evaluation. Basically, this means that the Solaris 8 Operating Environment has been tested and verified to meet security standards set for operating systems that allow user discretionary access control. User auditing is a required component in order to operate in a certified configuration.

BSM auditing is not enabled by default in the Solaris Operating Environment when installed. Prior to enabling auditing, it is necessary to consider the events to monitor, the available disk space for the audit trail, and the manner and regularity at which the audit trail will be reviewed. Some of the documents listed below provide greater detail into these issues.

Documentation

The following documents are available for more information on Solaris and Trusted Solaris audit configuration, administration, and use:

• Online Documentation
  • SunSHIELD Basic Security Module Guide
    (Solaris 8 Operating Environment)
  • Trusted Solaris Audit Administration
    (Trusted Solaris 8 Operating Environment)
• Sun BluePrints OnLine Security Articles
  • Auditing in the Solaris 8 Operating Environment,
    February 2001, by William Osser and Alex Noordergraaf
  • Developing a Security Policy,
    December 2001, by Joel Weise and Charles R. Martin
• Important Manual Pages
  • bsmconv(1M)
  • auditconfig(1M)
  • praudit(1M)
  • auditreduce(1M)

Tools

The following tools are available to analyze audit trails generated by the Solaris and Trusted Solaris audit subsystems:

• SRI International EMERALD eXpert-BSM
  EMERALD eXpert-BSM is a host-based intrusion detection system that provides an unprecedented degree of real-time security monitoring for critical application servers and workstations running the Solaris Operating Environment.
• Basic Security Module GUI (UNSUPPORTED)
  This tools provides a very graphical user interface to making queries against audit data. This tool is not supported by Sun Microsystems.