BSM auditing is a great tool and it does it's job well. However I had a need to process the audit events in real time for intrusion detection purposes so I used Snare from Intersect Alliance to convert the logging data into something I could parse with my IDS. Snare produces some very nice auditing data and as I was already using it on our linux servers I decided to keep things simple and use the same solution on the Solaris boxes. It's a lot easier than parsing the audit data with praudit. As it turns out all snare does is run praudit and massages the output so it looks very similar to what snare produces on Linux. It can then send that data to a syslog server, a commercial snare server or just dump it to a local file. The constant running of praudit generates an enormous amount of name resolutions. We found that when DNS and probably other naming services are unavailable the system can effectively lock up even though it will have no discernible load. If you do run snare on solaris I would recommend you ensure that you have reliable and resilient naming services. Also when a process is run without an associated IP address the praudit process will attempt to resolve 0.0.0.0 from DNS. We added an entry for 0.0.0.0 resolving to "no-ip" in the hosts file to avoid these lookups. We also added all system admins workstation IPs to the host file because these and "no-ip" launch the most if not all the running services. This will prevent DNS outages locking up the server. Last update : 12-07-2006 16:25
|
|
|
Add your comment
|
