Hosting Provided By

RE: BSM Audit Records

From: Small, Jim <jim.small(at)eds.com>
Date: Tue May 20 2003 - 15:34:03 EDT

Darren,

I know about the docs.sun.com reference. Specifically, just like you said, it covers the terminal ID:
For device numbers:
32-bit applications: 4-byte device number, 4-bytes unused 64-bit applications: 8-byte device number, 4-bytes unused

For port numbers in the Solaris 7 release or earlier releases: 32-bit applications: 4-byte port number, 4-byte IP address 64-bit applications: 8-byte port number, 4-byte IP address

For port numbers in the Solaris 8 or 9 releases:

32-bit with IPV4: 4-byte port number, 4-byte IP type, 4-byte IP address
32-bit with IPV6: 4-byte port number, 4-byte IP type, 16-byte IP address
64-bit with IPV4: 8-byte port number, 4-byte IP type, 4-byte IP address
64-bit with IPV6: 8-byte port number, 4-byte IP type, 16-byte IP address

This doesn't completely clear things up for me though. Perhaps an example would be better. If I am parsing login/logout (lo) records in my "short" form, I might see something like this (truncated for clarity):

+ftp access for root from 8197 21 host1.dom1.com on Wed 07 May 2003...
+login - local for root from 0 0 192.168.128.95 on Mon 12 May 2003...
+login - telnet for root from 419 23 192.168.145.35 on Mon 12 May 2003...
+login - ssh for root from 0 1447 host1.dom1.com on Tue 20 May 2003...

Here we have 4 types of access:
ftp, dtlogin, telnet, and ssh (All on Solaris 9 12/02)

If I do a file on ftp, dtlogin, telnet, and ssh, I can determine that they are all 32bit apps:
ELF 32-bit MSB executable SPARC Version 1, dynamically linked, [not] stripped

Therefore, all of these except for dtlogin should be giving me a 4-byte port number, and 4-byte IP type, and a 4-byte IP address.

Do you need help?

The 4-byte IP is obvious.
I don't know what the 4-byte IP type is. I'm not sure what the 4-byte port number is. Is this 2 bytes for the local port and 2 bytes for the remote port? How does praudit interpret this?

Now dtlogin, since you are logging in via the console, I'm not sure what you should expect and you get 0 0.

For the other 3, I connected to the Solaris 9 box and using netstat detected the ports on the local and remote end.
For ftp, 8197 21, I'm not sure how to parse this. Is 21 the local port? If so, then what's 8197? It does not correspond with the remote port. I tried converting the numbers to hex and then adding/removing digits to see if some combination would yield the remote port number, but no dice.

For telnet, 419 23, it's the same story. 23 could be the local port, but what is 419? Also, this is not consistent with the documentation which states a 4-byte port number, especially because see below with ssh.

For ssh, 0 1447, 1447 is the remote port, and 22 is the local. This seems to contradict the logic displayed by telnet and ftp earlier. So I don't know how I should interpret the port numbers.

Is there more documentation somewhere or an example program? Is this just a problem with using praudit?

Any advice or pointers would be greatly appreciated.

Heck Darren, I'm in the Detroit Area Sun Technologies User Group, let me know who maintains BSM/auditd and maybe my local Sun friends can get them to speak at our group!

Do you need more help?

Thanks,

<> Jim
Received on Wed May 21 14:02:15 2003

This message: [ Message body ]
Next message: Small, Jim: "RE: BSM Audit Records"
Previous message: Darren J Moffat: "Re: BSM Audit Records"
Maybe in reply to: Small, Jim: "BSM Audit Records"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:37 EDT