Submit a ticketCall us

WebinarFREE IT Monitoring Webcast

Don’t miss out on our webcast, Essential IT Monitoring with SolarWinds ipMonitor, where we will show you how to keep an eye on your IT environment from one centralized, affordable, and lightweight monitoring tool: SolarWinds® ipMonitor®.

Register now.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > LEM integration with Solaris 10 using BSM

LEM integration with Solaris 10 using BSM

Updated: September 27, 2018

Overview

Integrate LEM with Solaris 10 using BSM.

Environment

  • LEM 6.2
  • Solaris 10

Steps

Solaris 10 BSM Setup

This document describes how to configure Solaris 10 Basic Security Module (BSM) to log via syslog. The SolarWinds LEM agent for Solaris can then read this file via the Solaris BSM tool. We will outline the steps necessary to configure BSM to do this along with a reference section with more detailed information about the various options. We will assume that BSM is already installed on the Solaris 10 server. Solaris versions 8 and 9 need additional software installed for BSM to log via syslog (Snare) and will not be covered in this document.

 

Configure BSM to send to syslog

You will need to have root access to the Solaris server. This process will require the reboot of the server.

  1. Assume a role that includes the Audit Control profile or become superuser and open a terminal window if you have not already.
  2. Run the script that enables the auditing service.
    # cd /etc/security
    # ./bsmconv
    This script is used to enable the Basic Security Module (BSM). Shall we continue with the conversion now? y/n *y* bsmconv: INFO: checking startup file. bsmconv: INFO: turning on audit module. bsmconv: INFO: initializing device allocation.
    The Basic Security Module is ready. If there were any errors, please fix them now. Configure BSM by editing files located in /etc/security. Reboot this system now to come up with BSM enabled.

    Do NOT reboot yet. You need to adjust some settings first.

    Save a backup copy of the audit_control file:

    # cp /etc/security/audit_control /etc/security/audit_control.orig

  3. Modify the audit_control file found in /etc/security to include flag settings for what you wish to audit and to log events via syslog. Sample settings are listed below.
    # vi /etc/security/audit_control
    ... dir:/var/audit flags:am,cl,ex,fc,fd,fm,lo,pc,ss,ua minfree:20 naflags:lo plugin:name=audit_syslog.so.1; p_flags=am,cl,ex,fc,fd,fm,fr,fw,lo,pc,ss,ua

    These settings are for success and failure. If you precede a setting with a dash ( i.e. --lo,-ex ) then the system with report failures only. More information about each flag provided at the bottom of this document.

  4. Save a backup copy of the syslog.conf file.
    # cp /etc/syslog.conf /etc/syslog.conf.orig
  1. Add an audit.notice entry to the syslog.conf file. The log location is included in the entry.
    # vi /etc/syslog.conf
    … audit.notice /var/adm/auditlog
  1. Create the log file.
    # touch /var/adm/auditlog
  1. Reload the syslog service with the new changes.
    # svcadm refresh system/system-log
  1. Save a backup copy of logadm.conf
    # cp /etc/logadm.conf /etc/logadm.conf.orig
  1. Auditing generates a lot of information, so we will need to make and entry for log maintenance.
    # vi /etc/logadm.conf
    … /var/adm/auditlog --C 8 --a ‘kill --HUP `cat /var/run/syslog.pid`’

    This will keep the last 8 days of audit logs.

  1. Reboot the Solaris server to activate changes.
  2. Log back in to the server and check for audit activity. You should see some entries in the auditlog file.
    # tail /var/adm/auditlog

    If the file is blank, consult your Solaris documentation. “System Administration Guide: Security Services” Chapter 30 or your Solaris support provider.

Configuring the Agent and Connector

  1. Install the LEM Solaris agent on the machine (if not already installed).
  2. Once the agent has successfully connected in your console, navigate to Manage > Nodes.
  3. Next to the agent node, click the gear icon, and then select Connectors.
  4. From the Category drop-down list, select Operating Systems.
  5. Next to Solaris 10 BSM Auditingclick the gear icon, and then select New. 
  6. Create a new connector configuration, and verify that the Log File path is pointed to the correct path for your audit log.
  7. Click Save.
  8. Next to the connector, click the gear icon, and then select Start.
  9. Log out of the Solaris server and log back in to generate some log entries and verify that you see them in the Console.

 

Audit Reference

Suggested Audit Classes

Abbrev

Description

am

Administrative Actions (meta-class)

cl

Close System Call

ex

Program Execution

fc

Create Object

fd

Delete Object

fm

Change of Object Attribute

fr

Read Data, open for reading

fw

Write Data, open for writing

lo

Login and Logout events

pc

Process (meta-class)

ss

Change System State

ua

User Administration

We suggest you do NOT audit the following Audit Classes

Abbrev

Description

all

All classes (meta-class)

ap

Application-defined events

fa

Access of object attributes

io

ioctl() System Calls

ip

system VIPC operations

na

Nonattributable events

nt

Network events: bind, connect, accept

ot

Miscellaneous, such as device allocation and memcntl()

Integration of Solaris and Snare 

Due to the type of internal logging carried out by Solaris, one of the two solutions must be applied before Solaris can be integrated into LEM: A. Snare agent is installed on Solaris, followed by a LEM agent, or B. BSM is installed on Solaris, followed by a LEM agent.

 

 

Last modified

Tags

Classifications

Public