Video Screencast Help
Search Video Help Close Back
to help
Not able to make it to Vision this year? Get a sampling in the Best of Vision on Demand group.

/var/adm/sulog

Updated: 05 Jan 2012 | 2 comments
Kevin_K's picture
Kevin_K
0 0 Votes
Login to vote
This issue has been solved. See solution.

Has anyone had any experience with using the bv-config for Unix files datasource to look at /var/adm/sulog. I'm working in an agentless environment tyring to collect data in the  /var/adm/sulog for any user that has used the sudo commands on a Unix AIX box.

 

 

We have sudo rights for the account in the agentless setup though we get access is denied on the file. We've thought about havng the data dumped through a cat command to another file and then have CCS read the data for the report but wanted to see if anyone else had come across this before

 

thanks

Discussion Filed Under:
, , , , ,

Comments

CT-219's picture
30
Dec
2011
1 Vote +1
Login to vote
CT-219

Never tried to audit that

Never tried to audit that particular file, but have come across others which are only accessible as true root. I suspect that this is the case for this file. You likely have only 3 choices to get the information:

  1. Your current solution of setting a cron job to cat the contents of the file to another file and gathering that. Keep in mind that auditors will not be wild about that option because it is not the original file and you lose the chain of custody along the way.
  2. Install the agent on the box as true root so it can access all of these files.
  3. Provide true root credentials to the cred_db and then gather the data. This is the least likely to be acceptible to the Unix admins, although they may buy into it if they get to enter the creds themselves. The challenge there is to have to re-enter the creds every time they change a password.

In my experience, if that level of reporting is required on such sensitive files, I would recommend option 2.

Chris Tyrrell
Compliance Practice Lead
Conventus Corporation

Kevin_K's picture
05
Jan
2012
0 Votes 0
Login to vote
Kevin_K

Chris   Thanks for the reply

Chris

 

Thanks for the reply , so far it doesn't appear that going agent based on the machines will be an option for a variety of reasons though. Other log collectors may be an option at this point with a 3rd party application for correlation (SIMM like). Plus I believe ESM and maybe the next version of the software may have greater abilities to perform some of these tasks

SOLUTION

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
270,017