grep c2audit:audit_load /etc/system

I have come across quite a few customers over the last few years who have this line in /etc/system

set c2audit:audit_load = 1

only one set of administrators knew why it was there and what it did and how they used the output. The rest came up with a vague "we need it for security and auditing what root does" or "it is part of the standard build". Most admins did not know it was set or why and a bit of questioning suggests that no one in the organisation has ever looked at the log files or knows the trigger to look at the log files.

The impact on performance and scalability is made much worse in Solaris 10 by the bug 6388077 (make sure you have at least 127127-01 which was released over a year ago), but typically it is not doing what you think it is in terms of useful auditing and acts as an inhibitor to scalability. The more cpu's a system has the greater the overhead.

lockstat -C -s 50 sleep 10 
can show some very interesting stacks!

Awareness of security is good, but my experience is that this feature has been enabled without consideration to how to use the output or its impact on performance. In light of this, is bsmuncov is your friend?

Comments:

Post a Comment:
Comments are closed for this entry.
About

clive

Search

Categories
Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today