Chat now with support
Chat with Support

InTrust 11.4.2 - Preparing for Auditing and Monitoring Solaris

InTrust Configuration

After you have taken all the necessary configuration steps on the target Solaris hosts, the InTrust Manager snap-in takes over all auditing and real-time monitoring operations. This section describes Solaris-specific settings that are not explained in the other InTrust documentation.

Data Sources

The “Solaris Syslog” and “Solaris Audit Log” data sources represent the Solaris audit trails—Syslog and Basic Security Module log, respectively. The "Solaris text files monitoring" and “Solaris accounts monitoring” data sources work with files that are not audit trails.

Solaris Syslog

Syslog auditing and real-time monitoring is based on the flow of data intended for the syslogd daemon. The “Solaris Syslog” data source is used to analyze the data flow and capture only the necessary portions of it.

This data source uses a list of regular expressions. When the data source is working, it applies the expressions, in the order specified, to each message. The order of the regular expressions matters because message processing stops as soon as the message matches one of the expressions.

When parsing takes place, pairs of parentheses are used in regular expressions to break messages up into numbered fields.

For example, the following regular expression:

^(.{15}) ([-[:alnum:]_.]+) (su)(\[[0-9]*\]){0,1}: \[ID ([0-9]+) [a-z]+\.[a-z]+\] ('su (.*)' succeeded for (.*) on (.*))

matches the following message:

Dec 16 07:29:28 r5 su: [ID 366847 auth.notice] 'su root' succeeded for jsmith on /dev/pts/1

The result is an event with the following fields:

Field Name Field Number

Field Contents

Computer <2>


Description <6>

‘su root’ succeeded for jsmith on /dev/pts/1

Event ID <5>


Event Source <3>


Insertion String #1 <6>

‘su root’ succeeded for jsmith on /dev/pts/1

Insertion String #11 <7>


Insertion String #12 <8>


The last regular expression in the predefined data source is designed to match any message. This ensures that the message is not lost. The result of this regular expression is an event where the Description and Insertion String #1 fields both contain the descriptive part of the message, if a descriptive part is present.

It is not recommended that you modify predefined regular expressions in the data source. These expressions are required for the reports that come with the Solaris Knowledge Pack. These reports will ignore any data resulting from the use of custom regular expressions.

If you create a custom Syslog data source with your own regular expressions, make sure you use customized reports based on the data that these regular expressions help capture.

Caution: Including a lot of complex regular expressions in the data source may slow down Syslog processing significantly.

Text File-Monitoring Data Sources

The “Solaris text files monitoring” and “Solaris accounts monitoring” scripted data sources are designed to parse specified files. Real-time monitoring rules use these data sources to monitor the files for changes.

CAUTION: These scripted data sources are not designed for general-purpose auditing and monitoring of text-based logs. They should be used only on configuration files that preferably do not exceed 100 kilobytes. To collect large text-based logs, use Custom Text Log Events data sources, as described in the Auditing Custom Logs with InTrust document.

To specify the file paths, edit the appropriate parameters of the data sources. For example, to monitor the /etc/hosts.allow and /etc/hosts.deny files, take the following steps:

  1. Open the properties of the “Solaris text files monitoring” data source.
  2. On the Parameters tab, select the TextFiles parameter and click Edit.
  3. Supply “/etc/hosts.allow” and “/etc/hosts.deny” in the dialog box that appears.

Similarly, you can edit the UsersFile and GroupsFile parameters of the “Solaris accounts monitoring” data source if the location of the passwd and groups files differs from the default on your Solaris hosts.

Note: Monitoring the passwd and groups files makes sense if your Solaris environment does not use a directory solution. With a directory in place, information in these files is not important or representative.

External Events Data Sources

The External Events data source type is not represented by any predefined data sources. It is different from other data source types in that it generates event records with fields that you define and hands them over to the InTrust agent to process.

Data sources of this type are represented by a command-line utility on the agent side and an InTrust data source object on the InTrust server side.

This command-line utility forces special events on the InTrust agent running on the same computer. The agent stores the events in its backup cache. From there, the events can be captured by the gathering or real-time monitoring engine.

To create an External Events data source

  1. Right-click the Configuration | Data Sources node and select New Data Source.
  2. In the New Data Source Wizard, select the External Events data source type.
  3. Complete the remaining steps.

For details about External Events data source settings, see Configuring Data Sources.

Script Event Provider Data Sources

InTrust provides an additional option to create a custom data source using the Script Event Provider.

This functionality allows you to create a script that starts with pre-set frequency. Under some conditions that are specified in this script events are generated and then are passed to the InTrust agent. Events are stored in the agent's backup cache. From there, the events can be captured by the gathering or real-time monitoring engine.

You can specify in the certain script: what information is stored and how it is ordered in the certain events, what conditions are required for event generation.

To create a custom data source with Script Event Provider

  1. Right-click the Configuration | Data Sources node and select New Data Source.
  2. In the New Data Source Wizard, select the Script Event Provider data source type.
  3. On the Script step select the script language and enter your script text using XML editor.
  4. On the same step specify a frequency of the script running.
  5. Complete the remaining steps.

Auditing, Reporting, and Real-Time Monitoring

Solaris auditing, reporting, and real-time monitoring is similar to working with any other system supported by InTrust. There is only one important difference that refers to active scheduling of the InTrust tasks—see the warning note below.

Caution: An active schedule is required to make the agent cache events. If the schedule is disabled, no events are stored. Since all data sources described above (except "Solaris Audit Log") use events caching, it is recommended that you use at least one task for the cache-enabled data sources that run regularly. If you want to gather data only on demand, you must still enable the schedule for your task or tasks, but set it to a point in the future or in the past.

The other Solaris auditing, reporting and real-time monitoring operations do not have special requirements, and you can perform them as described in the Auditing Guide and Real-Time Monitoring Guide.

Use Scenarios

This topic describes typical situations in a production environment and outlines how InTrust helps handle them:

  • Syslog Configuration Monitoring
  • Tracking Resource Access

For information about specific procedures, such as creating tasks and jobs or activating rules, see the Auditing Guide and Real-Time Monitoring Guide.

Syslog Configuration Monitoring

Suppose you use a finely-tuned Syslog audit policy in your environment. Your audit configuration has proven efficient and reliable, and you do not want anyone but a few trusted administrators to be able to change it. Even so, you want to know immediately if the audit policy is modified in any way.

Use InTrust real-time monitoring capabilities to enable immediate notification. Syslog audit configuration is defined in the syslog.conf file, so the solution in this case is to monitor this file with InTrust and send an alert whenever the file is modified.

Enable the “Syslog.conf file modified” rule and supply the appropriate file paths as the rule's parameter.

Tracking Resource Access

In this scenario, one of your Solaris hosts stores production-critical files. You want to be notified whenever these files are accessed. Take the following steps to track access to your files using InTrust:

  1. Make sure that Basic Security Module policy is configured to capture file-related events.
  2. Create a weekly InTrust task that includes gathering of relevant Solaris Audit log events and reporting on them.
    If you like, you can store the gathered data in an InTrust repository. You can also include a notification job to inform you of task completion.
    Include the “File access” report in the reporting job, and supply the appropriate paths in the Files filter. The resulting reports are stored in the local folder that is specified during InTrust installation (for details see the Deployment Guide).

Now you can use Knowledge Portal to view a weekly report indicating who accessed your critical files, when they were accessed, and whether they were modified.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating