Auditing in Irix

[FloydFan01]

I am trying to set up auditing for the following activities in Irix 6.5.17. That is, I need the system to keep a record of the following activities automatically.

a. Successful and Unsuccessful Logons and Logoffs
b. Unsuccessful attempts to access security relevant files and
directories
c. Denial of system access (account lockout) due to multiple failed login attempts
d. Changes to passwords
e. Audit records need to contain the following information: date and time of action, type of action, and the responsbile user for the action, and the resources involved (e.g., name of file for a failed access attempt for a file).

I have been able to find a way to record some of these activities for terminal logins or sessions (using /etc/default/login), but cannot find a way to do it for GUI login. I want to mimic the actions of the /etc/default/login file for GUI logins. Thanks in advance for any help.

 

[tmc3011]

Sounds like you are having the same problems I am having, Nispom chapter 8? Have you found any help. I am still unable to get everything in the audit records. Also the /etc/default/password file seems to do nothing. So I cannot implement password length or history requirements. Any help you can give me would be greatly appreciated! Thanks, Tamara

 

[FloydFan01]

Yes, NISPOM Chapter 8. See the links below. We were able to install system audit trail (SAT) which is distributed with the Irix Overlay CDs.

http://www.cfisac.org/ais_technical_security.htm

Go to this link and download the FULL presentation. This will give you some details on how to set up SAT to do what is required for chapter 8 in Irix. The FULL presentation goes through several different operating systems. Toward the end of the presentation is info on Irix.

http://www.giac.org/practical/Gary_Samuel_GCUX.doc

This is some guys page on how to set up a secure Irix system. I used this as a backup since it had a little more detail than the first link.

Let me know if this solves your problems. If not, I can give more detailed help.

 

[RedPh0enix]

The "intersect alliance" guys, who produce Snare for Linux/Solaris/Windows/etc, are just about to take delivery of an IRIX box with a view to creating a Snare agent for Irix. Open source as usual.

Might help a little, if you need to centralise your audit logs.

Red.

 

[jawake]

I've heard this is a problem for lots of folks dealing with NISPOM and DCID 6/3. I found a site that says they can audit IRIX logs, and lots of other sources. See

http://www.addamark.com

 

[RedPh0enix]

Just a quick followup - the snare agent for Irix is now available from the intersect alliance web site:

http://www.intersectalliance.com/projects/index.html

From the web page:
"Snare for Irix provides front end filtering, remote control, and remote distribution for Irix audit data, interfacing with the underlying SGI "Security Audit Trail" (SAT/SATD).

Snare for Irix can be used as a standalone auditing tool, or can send data to the Snare Server for analysis and storage."

Several organisations are now starting to use it for NISPOM/DCID. The app is free, has a web-based remote-control capability, can turn on SAT events dynamically, and has source code available. (Sorry, it doesn't make you coffee of a morning though.

Hope this helps!

Red.

 

[herrmag]

All I have to say is God bless you all. I have been all over the Internet looking for good information concerning Irix and Chapter 8 of the NISPOM, and this is the first time I've found it. Needless to say, after reading this thread, I have now become a member of this board. THANKS!