[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [ISSForum] BSM usage with Server Sensor on Solaris



Growth of BSM log files is certainly a bit of a problem but there are a
number of ways of handling it.  Firstly you can configure BSM itself so that
it does not audit every event.  You do this by chanign the
/etc/audit/audit_control file.  There is a guide on the Sun website that
details what to do with this.

You can also configure the server sensor to clear the BSM log.  In the
properties of he sensor (from the WGM) one of the options is how to handle
the BSM logs - either by reducing or removing them.  The other option we've
used in the past is to have a cron job to remove the log periodically.


Simon

-----Original Message-----
From: issforum-admin@xxxxxxx [mailto:issforum-admin@xxxxxxx]On Behalf Of
Mark Weiss
Sent: 22 January 2004 20:22
To: issforum@xxxxxxx
Cc: brimatts@xxxxxxxxx
Subject: [ISSForum] BSM usage with Server Sensor on Solaris


We are in the process of attempting to roll out Server
Sensor in our Unix (Solaris 2.8) environment. My
question concerns the BSM (Basic Security Module)
which is included in Solaris and is used to create the
security logs so that Server Sensor can be used to
flag curious activity (much like the Windows version
does).

Currently, we do not have the BSM enabled (there are
other tools that are used).  In performing some
testing with several of the options turned on in a lab
environment, it is evident that the log file(s) can
become very large, very fast.  In our environment
where our web servers see large volumes of traffic
this could be a big problem.

I'd be curious to know if/how people are using the BSM
in conjunction with Server Sensor on Solaris.  I'm
looking for ideal configurations of it.  I'd also like
to hear if there are people out there who do not have
the BSM enabled and just look at Web traffic.

MW

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/
_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo

_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo