Monday, November 8, 2010
JASS: Auditing & Controlling Output Logs
You might want to eliminate pass messages (JASS_LOG_SUCCESS variable) from the output so you can report and focus only on fail messages (JASS_LOG_FAILURE variable).
If the logging variable is set to 0, then no output is generated for messages of that type. Conversely, if the logging variable is set to 1, then messages are displayed. The default action for each of these variables is to display the output.
All Banner Output, This parameter controls the display of banner messages. These messages are
usually surrounded by separators comprised of either equal sign (“=”) or dash (“-”)
characters.
JASS_LOG_BANNER
[ERR], This parameter controls the display of error messages. If set to 0, no error messages will be generated.
JASS_LOG_ERROR
[FAIL] This parameter controls the display of failure messages. If set to 0, no failure messages will be generated.
JASS_LOG_FAILURE
[NOTE] This parameter controls the display of notice messages. If set to 0, no notice messages will be generated.
JASS_LOG_NOTICE
[PASS] This parameter controls the display of success or passing status messages. If set to 0, no success messages will be generated.
JASS_LOG_SUCCESS
[WARN] This parameter controls the display of warning messages. If set to 0, no warning messages will be generated.
JASS_LOG_WARNING
Using these options is very useful when you only need to view specific messages. By setting these options, you can minimize output, yet still focus on areas you deem critical. For example, by setting all logging variables to 0 except for JASS_LOG_FAILURE (leave it at the default of 1), the audit reports only on failures
generated by the logFailure function.
# JASS_LOG_FAILURE=1
# JASS_LOG_FAILURE=1
# JASS_LOG_NOTICE=0
# JASS_LOG_SUCCESS=0
# JASS_LOG_WARNING=0
# export JASS_LOG_WARNING JASS_LOG_SUCCESS JASS_LOG_NOTICE JASS_LOG_FAILURE
# ./jass-execute -a secure.driver -V 2
update-at-deny [FAIL] User test is not listed in
/etc/cron.d/at.deny.
update-at-deny [FAIL] Audit Check Total : 1 Error(s)
update-inetd-conf [FAIL] Service ftp is enabled in
/etc/inet/inetd.conf.
update-inetd-conf [FAIL] Service telnet is enabled in
/etc/inet/inetd.conf.
update-inetd-conf [FAIL] Service rstatd is enabled in
/etc/inet/inetd.conf.
update-inetd-conf [FAIL] Audit Check Total : 3 Error(s)
Here I have provided a Jass Auditing script that can be run on a weekly, monthly , yearly however you may choose. The audit will alert on any system changes via Email set by the MAIL_LIST variable. The script requires Repository directory under /opt/SUNWjass.
jass-audit.sh
#!/usr/bin/ksh
HOST=`hostname`
TIMESTAMP=`date +%H%M.%d%m`
SPOOL="/opt/SUNWjass"
L_LOG="$SPOOL/Repository/Jass_Audit.$TIMESTAMP"
L_OUT="$SPOOL/Repository/Jass_Audit.$TIMESTAMP.OUT"
MAIL_LIST=""
JASS_LOG_FAILURE=1
JASS_LOG_NOTICE=0
JASS_LOG_SUCCESS=0
JASS_LOG_WARNING=0
export JASS_LOG_WARNING JASS_LOG_SUCCESS JASS_LOG_NOTICE JASS_LOG_FAILURE
$SPOOL/bin/jass-execute -a server-secure.driver -V 2 -o $L_LOG
if [ -f $L_LOG ]; then
ERR=`grep FAIL $L_LOG|wc -l`
if [ $ERR -ne 0 ]; then
echo "Solaris Security Log: AUDIT (${HOST}) $TIMESTAMP" > $L_OUT
echo "" >> $L_OUT
echo "File : "$L_LOG" " >> $L_OUT
echo "========================================================" >> $L_OUT
echo "Failures : " >> $L_OUT
grep FAIL $L_LOG | egrep -v Error >> $L_OUT
echo "========================================================" >> $L_OUT
tail -12 $L_LOG >> $L_OUT
mailx -s "Solaris Security Toolkit Log: AUDIT (${HOST})" $MAIL_LIST < $L_OUT
else
exit 0
fi
fi
HOST=`hostname`
TIMESTAMP=`date +%H%M.%d%m`
SPOOL="/opt/SUNWjass"
L_LOG="$SPOOL/Repository/Jass_Audit.$TIMESTAMP"
L_OUT="$SPOOL/Repository/Jass_Audit.$TIMESTAMP.OUT"
MAIL_LIST=""
JASS_LOG_FAILURE=1
JASS_LOG_NOTICE=0
JASS_LOG_SUCCESS=0
JASS_LOG_WARNING=0
export JASS_LOG_WARNING JASS_LOG_SUCCESS JASS_LOG_NOTICE JASS_LOG_FAILURE
$SPOOL/bin/jass-execute -a server-secure.driver -V 2 -o $L_LOG
if [ -f $L_LOG ]; then
ERR=`grep FAIL $L_LOG|wc -l`
if [ $ERR -ne 0 ]; then
echo "Solaris Security Log: AUDIT (${HOST}) $TIMESTAMP" > $L_OUT
echo "" >> $L_OUT
echo "File : "$L_LOG" " >> $L_OUT
echo "========================================================" >> $L_OUT
echo "Failures : " >> $L_OUT
grep FAIL $L_LOG | egrep -v Error >> $L_OUT
echo "========================================================" >> $L_OUT
tail -12 $L_LOG >> $L_OUT
mailx -s "Solaris Security Toolkit Log: AUDIT (${HOST})" $MAIL_LIST < $L_OUT
else
exit 0
fi
fi
Output Example:
Solaris Security Log: AUDIT (host-name) 1301.0211
File : /opt/SUNWjass/Repository/Jass_Audit.1301.0211
========================================================
Failures :
update-at-deny [FAIL] User test is not listed
in /etc/cron.d/at.deny.
========================================================
server-secure.driver [SUMMARY] Results Summary for AUDIT
run of server-secure.driver
server-secure.driver [SUMMARY] The run completed with a
total of 84 scripts run.
server-secure.driver [SUMMARY] There was a Failure in 1
Script
server-secure.driver [SUMMARY] There were Errors
in 0 Scripts
server-secure.driver [SUMMARY] There was a Warning in 1
Script
server-secure.driver [SUMMARY] There were Notes
in 19 Scripts
server-secure.driver [SUMMARY] Failure Scripts listed in:
server-secure.driver /var/opt/SUNWjass/run/20101102130155/jass-script-failures.txt
server-secure.driver [SUMMARY] Warning Scripts listed in:
server-secure.driver /var/opt/SUNWjass/run/20101102130155/jass-script-warnings.txt
server-secure.driver [SUMMARY] Notes Scripts listed in:
server-secure.driver /var/opt/SUNWjass/run/20101102130155/jass-script-notes.txt
No comments:
Post a Comment