|
|||
|
 |
|
  |
|
  |
|
| |
Chapter 20BSM (Overview)The Basic Security Module (BSM) provides two security features. The first feature is an auditing mechanism, which includes tools to assist with the analysis of the auditing data. The second feature is a device-allocation mechanism, which provides the required object-reuse characteristics for removable devices or assignable devices. This chapter introduces the concepts behind BSM. The following is a list of the information in this chapter. What Is Auditing?Auditing is the collection of data about the use of machine resources. The audit data provides a record of security-related system events. This data can then be used to assign responsibility to actions that take place on a host. Successful auditing starts with two security features: identification and authentication. At login, after a user supplies a user name and password, a unique audit ID is associated with the user's process. The audit ID is inherited by every process that is started during the login session. Even if a user changes identity, all user actions are tracked with the same audit ID. See the su(1M) man page. The auditing subsystem makes the following possible:
During system configuration, you select which activities to monitor. You can also fine-tune the degree of auditing that is done for individual users. After audit data is collected, audit-reduction and interpretation tools allow you to examine interesting parts of the audit trail. For example, you can choose to review audit records for individual users or specific groups. You can examine all records for a certain type of event on a specific day. Or you can select records that were generated at a certain time of day. How Does Auditing Work?Auditing is the generation of audit records when specified events occur. Most commonly, events that generate audit records include the following:
Audit records are generated from three sources:
Once the relevant event information has been captured, the information is formatted into an audit record. The record is then placed in a kernel buffer known as the audit queue. From this temporary location within the kernel, audit records are written to audit files. Where the audit files are located is determined by entries in the audit_control file. The location can include multiple partitions on the same machine, partitions on different machines, or partitions on machines on different but linked networks. The collection of audit files that are linked together is considered an audit trail. Audit records accumulate in audit files chronologically. Contained in each audit record is information that identifies the event, what caused the event, the time of the event, and other relevant information. How Is Auditing Related to Security?To secure a computer system, especially a system on a network, is complex. Security requires mechanisms that control activities before system processes or user processes begin. Security requires tools that monitor activities as the activities occur. Security also requires reports of activities after the activities have happened. Initial configuration of Solaris auditing requires that parameters be set before users log in or machine processes begin. Most auditing activities involve monitoring current events and reporting those events that meet the specified parameters. How Solaris auditing monitors and reports these events is discussed in detail in Chapter 21, Audit Planning and Chapter 22, Managing the BSM Service (Tasks). Auditing cannot prevent hackers from unauthorized entry. However, the audit subsystem can report, for example, that a specific user performed specific actions at a specific time and date. The audit report can identify the user by entry path and user name. Such information can be reported immediately to your terminal and to a file for later analysis. Thus, the audit subsystem provides data that helps you determine the following:
| |
| |
|
Previous