Log Types: SolarisBSM

Owned by Leigh Purdie (Unlicensed)
Last updated: Sept 17, 2020
2 min read

Overview

Solaris is a proprietary Unix operating system originally developed by Sun Microsystems. It superseded the company's earlier SunOS in 1993. In 2010, after the Sun acquisition by Oracle, it was renamed Oracle Solaris.

Collection

Solaris logs can be collected by the Snare for Solaris agent.

Sample Events

Solaris generates logs that are token-based, with tabs separating content associated with each token. Snare for Solaris will prefix any event with a hostname, a logtype, and a 'criticality' value. An example log follows:

sol10 SolarisBSM 1 header,122,2,execve(2),,2006-03-21 14:28:22.555 +11:00 path,/usr/bin/find attribute,100555,root,bin,26738688,438,0 exec_args,1,find subject,root,root,root,root,root,650,1070026970,12849 202240 inferno.intersectalliance.com return,success,0 sequence,105 snareseq,32

Tokens are usually in a fixed order, but are not guaranteed to remain that way between Solaris versions.

Tokens that may be commonly seen in Solaris events include:

  • header (length, version, eventid, null, date/time

  • trailer (reclen)

  • arbitrary (tokenID, format, datasize, count, .. arbitrary info - "count" fields in length)

  • argument (tokenID, argid, argval, string)

  • exec_args (argcount, # .. arbitrary info - "count" fields in length)

  • attribute (filemode, owneruid, ownergid, filesysid,inodeid, deviceid)

  • exit (status, retval)

  • file (date/time, filename)

  • group (groups)

  • ip addr (address)

  • ip address (ipheader)

  • IPC (objecttype, objecthandle)

  • IPC perm (owneruid, ownergid,creatoruid,creatorgid,accessmode,seqnum,keyval)

  • ip port (address)

  • opaque (count, .. arbitrary info - "count" fields in length)

  • path (path)

  • process (aUID, eUID, eGID, rUID, rGID, processID, sessionID, terminalID)

  • return (status, retval)

  • sequence (seqnum)

  • socket (sockettype, localportaddr, localipaddr, remoteportaddr, remoteipaddr)

  • subject (aUID, eUID, eGID, rUID, rGID, processID, sessionID,terminalID)

  • text (text)

NOTE that different events, will use different tokens - for example, a 'execve' event will generally follow the 'header' token with a 'path' token. A 'logout' event, will generally have a 'subject' token second.

Fields

Field

Description

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

SolarisBSM

EVENTCOUNT

An internal counter of the generated event. Incremented by one each time an event is generated. If filters are active, this number may skip on the Snare Central server.

EVENTID

An event identifier such as execve, or sysinfo

AUID

Audit UID - an immutable ID that represents the ID used by the user to initially log in.

EUID

Effective UID - the UID under which the current executable is running

EGID

Effective GID - the group ID under which the current executable is running

RUID

Real UID - the UID associated with the user at login. Note that this is not immutable, and can be overriden by root-level system calls.

RGID

Real GID - the GID associated with the user at login. Note that this is not immutable, and can be overriden by root-level system calls.

PID

Process ID

RETURNCODE

Returncode of the executed command or system call

STRINGS

Any other content that does not fit into the other fields

TARGET

For some events, the targeted entity (eg: a path)

Notes

-