BSM not catching creat64

thmnetwork · November 16, 2012, 12:55pm

Solaris 9 system:

I'm trying to get BSM to record to the point where additional files being put into /etc/opt/csw/sudoers.d will be recorded but thus far all I'm able to get are when files are deleted (via unlink). I've even tried auditing based on the "all" audit flag temporarily (thinking I just was filtering it out unintentionally), but nowhere in the audit file did I find a record of a test touch command I executed.

I noticed that there is an AUE_CREAT audit event listed in /etc/security/audit_event (which is part of the fc class that I'm bringing in) but it looks like touch uses creat64 so I'm unsure if there's a 64 bit version of the audit event that should be in there but isn't. It looks like the same is true for the Solaris 10 boxes.

Is this by design or should I be doing something different in order to catch additional files being created?

bartus11 · November 17, 2012, 5:39am

I just checked that on Solaris 10 and "creat64" syscall done by "touch" is recorded in audit trail. It is recorded as "creat" though. See output below:

root@sun49 # truss touch /tmp/test 2>&1 | grep creat
creat64("/tmp/test", 0666)                      = 3

root@sun49 # praudit 20121117101527.not_terminated.sun49
header,127,2,creat(2),,sun49,2012-11-17 11:39:09.275 +01:00
path,/tmp/test
attribute,100600,root,root,376,83572050,18446744073709551615
subject,root,root,root,root,root,3170,1720310291,299 196630 XXXXXXXXX
return,success,3

root@sun49 # grep flags /etc/security/audit_control
flags:fc
naflags:lo

thmnetwork · November 17, 2012, 10:34am

Sorry, to clarify I meant "same is true" meaning that there wasn't a 64 bit version I could be missing.

If that's not expected behavior, does anybody know if my problem was resolved by a patch?