Solaris 10 with Trusted Extensions - Security Audit Events [short] Descript

Similar Messages

• CCMS and Security Audit log

  I have seen a huge number of companies who do not use SM19/SM20 or RZ20. It is not configured. example I worked for 3 clients(user base 14000, 16000,1000) and none of them have this configuration.
  Do you know why is it so if it is not configured at your place.
  Thanks
  Edited by: Pankaj Jain on Sep 26, 2009 7:02 PM

  Performance impact is dependent on the Hardware sizing and the daily monitoring activities together with the back up schedule by the BASIS team.
  My experience is: I have seen maximum of clients using this for logging activities of ALL users in the system. In other few cases, it is restricted to Super and Special users.
  Please go through the document: [Security Audit Log|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/2088d9d4-e011-2a10-bba9-90548dbc2d6a&overridelayout=true] (it's a bit Old)
  Try searching Community with SM20 / SM19 / Security Audit Log search strings.
  Regards,
  Dipanjan

• Adump folder is populating with file without starting audit trail

  Hi,
  I am using Oracle 10g release 2 (10.2.0.3.0) on linux 64 bit, i did not activate Audit trial in my database, but the folder adump have files are being created with aud extension showing Audit of login.
  Is it normal or Audit trail is on, as i checked the parameter Audit_trail, it is showing NONE
  Is this normal or audit trail is ON.

  Hello,
  this is normal behavior for sys-logins.
  See Metalink-Note:308066.1 for more infos.
  Greets,
  Hannibal
  Message was edited by:
  Hannibal

• The event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing.

  Last night, some of our systems installed updates released on 11/13/2014.  
  KB3021674
  KB2901983
  KB3023266
  KB3014029
  KB3022777
  KB3020388
  KB890830
  Today, all of the servers running Windows Server 2008 R2 started logging the following error in the Security log over and over:
  Log Name:      Security
  Source:        Microsoft-Windows-Eventlog
  Date:          1/15/2015 11:12:39 AM
  Event ID:      1108
  Task Category: Event processing
  Level:         Error
  Keywords:      Audit Success
  User:          N/A
  Description:
  The event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing.
  Servers running Windows Server 2008 that also installed the updates are not experiencing the problem.  It looks like one of the updates may have introduced this problem with Server 2008 R2.

  ...Did you for sure confirm that:
  https://technet.microsoft.com/library/security/MS15-001
  is the cause?
  I did.  I had a VM that was not experiencing the problem.  I took a snapshot and tested the patches one by one.  Installing only KB3023266 immediately caused the issue to occur (after reboot).  A similar process was used to confirm that
  installing KB2675611 resolved the problem.
  Note that I found the installation of KB2675611 is usually quick, but it took several hours hours to install on some of our systems.  We had installed this patch a few months ago on a couple of servers and it was always quick to install.  But,
  it seems like installing it on a symptomatic system can cause it to take a long time.

• Trusted Extensions not installing correctly - Solaris 10 x86 11/06

  I've installed Solaris 10 11/06 x86 selecting the "development" install, and I assigned 7GB to the root slice and 3GB to /export/home. The install goes fine, so I then install Trusted Extensions. After installing Trusted Extensions and rebooting, the Trusted Extensions CDE desktop is not listed as a login option. The JDS Trusted Extensions desktop is listed, but attempting to login to it gives the error "Your X Server has not been set up with SUN_TSOL extension to login to Trusted JDS. Select ordinary JDS to login", and the login fails. Are there any required steps that are not listed in the documentation, or are Trusted Extensions broken in Solaris 10 version 11/06? Any tips at all are greatly appreciated.

  It took me a few days of headaches, but I finally figured it out! I'm working under VMWare, and installing VMWareTools in Solaris 10 seems to somehow break the Trusted Extensions. There are no errors, the Trusted Extension features just don't work. When I installed the Trusted Extensions first I did get the Trusted CDE desktop and it logged in just fine, but after installing VMWareTools the desktop option disappeared from the login menu. I hope this helps someone else.

• CSA 6 Continuing Audit Events on Hosts with Non-Audit Policies

  I have two groups for desktop PCs, with the same policies. In the group I'm using for auditing, most policies are set to audit mode -- at policy level, not rule module level. In the other group, those same policies are not in audit mode.
  The original agent kit included membership in both groups, but hosts now belong to one group or the other. The hosts are all polling frequently and are up to date, as is rule generation.
  But in the event log, certain events on hosts that are not in the audit group are reporting as "Audit:" events. Why am I getting audit events on hosts in the group where policies are not in audit mode?

  Thank you, Tom, for your reply. Looking at the group details screen in CSA 6, and referencing the Policy Audit Mode documentation, attached policies can be set to audit mode for a group, on a per-policy basis.
  I'm seeing logged Audit: events on hosts belonging solely to a group that is not in audit mode, its policies are not in audit mode and the underlying rule modules are not in audit mode. Yet audit events continue in the log for those hosts.
  Carole

• Security Log Event ID 4624 Auditing - Few Questions

  I am working on a PowerShell script that collects Event ID's 4624 with LogonType 10 (Logon)  and Event ID's 4647 (Logoff). This is basically keeping an audit trail of logon's and logoff's of users on our terminal services environment. 
  This is working as expected, however, I am seeing two things that I have remaining questions on:
  For the Logon Event ID 4624...for a few users, I am seeing two Logon Event's created. They are exactly the same, except one has a LogonGuid of all 0's : {00000000-0000-0000-0000-000000000000}. 
  Why would there be two Logon events created where one of them has a LogonGuid of all 0's? For the correlating Logoff event, it is tied to the Logon Event with the all 0's LogonGuid. I would expect the logoff event to
  be ties to the LogonGuid that isn't all 0's. 
  If a user disconnects (not logoff), and when they logon again, another logon event is created. Is there anyway to decipher from a completely new logon event and from a logon event to resume a disconnected session?

  Hi mabrito,
  I assume you meeting the following scenario event.
  When a user logon, two events get logged with event id 4624. the only difference between them is followings:-
  Logon GUID: 
  {00000000-0000-0000-0000-000000000000}
  Logon GUID: 
  {user GUID }
  Logon GUID: {00000000-0000-0000-0000-000000000000} is for anything other than Kerberos, Logon GUID is a unique identifier that can be used to correlate this event with a KDC
  event.
  You can refer the following article:
  Deciphering Account Logon Events
  http://blogs.msdn.com/b/ericfitz/archive/2005/08/04/447934.aspx
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Data Access Service is unable to log audit events to the security event log

  Hi,
  Scenario: SCOM 2012 R2 UR4. (Windows 2012 R2)
  Today SCOM have generated 4 alerts Data Access Service is unable to log audit events to the security event log.
  The service account for "System Center Data Access Service" service is "Local System".
  The users at "Generate security audits" are: LOCAL SERVICE and NETWORK SERVICE.
  The question is:
  how to resolve this alert? (Where look for to obtain more information to resolve this problem)
  Thanks in advance!

  Local system account is differet to local service account. Fo detail description of these accounts, pls. refer
  LocalService Account
  http://msdn.microsoft.com/en-us/library/windows/desktop/ms684188(v=vs.85).aspx
  LocalSystem Account
  http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx
  Generate security audits which is under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment of Group policy, determines which accounts can be used by a process to add entries to the security log. This user right
  is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. By default, only the LocalSystem account has the privilege to be used by processes to generate security audits.
  For identified the SDK account
  1) open services.msc
  2) From the system Center Data Access Service, you can see the SDK logon on as account 
  Roger

• Security Audit Log / Logging of downloads from query results?

  Hi everybody,
  our data protection team has raised the requirement to log all data downloads from our BW system. As far as I know, it is possible to log downloads in SAP GUI using Security Audit Log, but does this also cover "Export to Excel" functionality of query results executed in the portal? And what about execution of queries with BEx Analyzer? I doubt, if that tool would log this. Are there any other tools available to cover that requirement?
  Any comment and idea is welcome. Thanks in advance!
  Regards,
  Carsten

  If restricted to ALV I think it can be done, but even there... if the user executes it in background and mails or prints the spool request then the cat is out of the box...
  Moral of the story: Do not grant access if the user should not be able to see the data (regardless where they log on from).
  That you cannot monitor / log all (mass) download events is however a bit unfortunate, however once the data is outside of the system for those whom you do trust then you anyway need to train them not to park sensitive files on project or public file servers.
  IMO the main problem here is front-end computing tools (like Excel, etc) which the users feel more confortable with to analyze data than the server side analytics tools (e.g. in the ALV task bars, or even the BOBJ Dashboards which are very "user-sentric").
  In German it is known as "Bauern mentalität" (farmer mentality) which generally resides at the application surphase layer in the greater scheme of things:
  -> You do not eat anything you have not slaughtered yourself... 
  Specifically regarding tokenization, you can consider not displaying the data in the portal. If the user wants to display these fields they have to navigate in their own context into the backend system to retrieve the token and then only display individual values.
  --> A download of a list via the portal or BEX excludes these fields which the user can access, but not mass download.
  I think this is possible, but it will be a challenge depending on whether the fields support tockenization. Credit Card numbers as mentioned my Martin is fairly vanilla and already used.
  Custom fields&types, insufficiently critical elements and older programs will be a bigger challenge.
  Please provide more details, as the generic answers are not well take care of IMO. If you cannot provide mre details, then SDN discussions speculating on answers is not efficient either...
  Cheers,
  Julius

• "logon time" between USR41 and security audit log

  Dear colleagues,
  I got a following question from customer for security audit reason.
  > 'Logon date' and 'Logon time' values stored in table  USR41 are exactly same as
  > logon history of Security Audit Log(Tr-cd:SM20)?
  Table:USR41 saves 'logon date' and 'logon time' when user logs on to SAP System from SAP GUI.
  And the Security Audit Log(Tr-cd:SM20) can save user's logon history;
  at the time when user logged on, the security audit log is recorded .
  I tried to check SAP GUI logon program:SAPMSYST several ways, however,
  I could not check it because the program is protected even for read access.
  I want to know about specification of "logon time" between USR41 and security audit log,
  or about how to look into the program:SAPMSYST and debug it.
  Thank you.
  Best Regards.

  Hi,
  If you configure Security Audit you can achieve your goals...
  1-Audit the employees how access the screens, tables, data...etc
  Answer : Option 1 & 3
  2-Audit all changes by all users to the data
  Answer : Option 1 & 3
  3-Keep the data up to one month
  Answer: No such settings, but you can define maximum log size.
  4-Log retention period can be defined.
  Answer: No !.. but you can define maximum log size.
  SM19/SM20 Options:
  1-Dialog logon
  You can check how many users logged in and at what time
  2-RFC login/call
  Same as above you can check RFC logins
  3-Transaction/report start
  You can see which report or transaction are executed and at what time
  (It will help you to analyise unauthorized data change. Transactions/report can give you an idea, what data has been changed. So you can see who changed the data)
  4-User master change
  (You can see user master changes log with this option)
  5-System/Other events
  (System error can be logged using this option)
  Hope, it clear the things...
  Regards.
  Rajesh Narkhede

• Reporting on ADFS Audit Events

  I haven't had much luck researching potential solutions for how to report on ADFS activity. Most articles describe how to enable debugging for troubleshooting purposes, but haven't found anything to build a report off of that info.
  Basically I am looking for a way to aggregate the ADFS auditing events into a consumable format by a person.  There is the instance ID for a session that in consistent amongst the 299, 500, 501 events, but how to organize the claim values that are shown
  is the part I struggle with.
  Ideally I am just looking to build a report to show the Date/time, Relying Party Name, Username, source IP, Device and/or client application in a sortable format to view by application or by user, etc.  Its just a matter of parsing the claim values
  that span multiple events and putting it into a readable format. 
  Or Are there any other solutions out there that do something comparable?

  Hi,
  Thank you for your posting!
  Since Active Directory Federation Service is not an extension of Active Directory schema, I suggest you refer to the following forum to get professional support:
  Claims based access platform (CBA), code-named Geneva Forum
  http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
  In addition, you may also need to consult experts from scripting forum due to your request.
  The Official Scripting Guys Forum
  http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG
  Best Regards,
  Amy

• Consultancy Services for RAC installation and  Internet Security Audit

  Dear All,
  "Warm greetings from Venkatesh"
  We are proud to announce that, we have started a leading Database, Networking and Internet security Consulting organization at PUNE with a global presence through which we offers a focused, Excellence Solutions for Database, Networking and internet security for vulnerabilities and ethical hacking to the organizations to achieve a sustainable performance and results, and to contribute to the delivery of Quality Product, Solutions and Services to transform the human lives every day.
  We offer a customized Consulting and Corporate Training Services at competitive sizes of organization in all major verticals for Performance Excellence as under with six months maintenance support after RAC installation
  Design and Implementation of Oracle RAC (Real Application Cluster)
  - Oracle solution for High Availability & Grid Computing
  - Versions: Oracle 10gR2, 11gR1 & 11gR2
  - Operating System: Linux, Windows, Solaris, AIX
  - Storage: ASM, OCFS2
  - ASM Cluster File System (ACFS) in Oracle 11gR2
  - Building RAC setup in VMware Environment
  - Feature: Load Balancing, Failover, Dynamic addition of Nodes to Grid
  Design and Implementation of Oracle Data Guard
  - Oracle solution for Disaster Management
  - Primary & Secondary Sites
  - Logical & Physical Standby Database
  Internet Security Audit for Vulnerabilities and Ethical Hacking
  - Penetration testing
  - Source code audit
  - Information security training
  - Website design and development
  - Data Centre audit
  - ISO 27701 consultancy
  We also offer Corporate Trainings for
  - Oracle RAC Administration
  - Automatic Storage Management (ASM)
  - Data Guard
  Please feel free to revert back for any queries.
  Regards
  Venkatesh
  mail: [email protected]
  Edited by: vjpune on Apr 17, 2010 4:44 AM

  Hi! keyur,
  Greetings from venkatesh
  Sorry for delay, i was busy with some assignments.
  Actually, we are consultancy service provider for those organization who needs to Install Oracle RAC server. We provide entire services i.e. from designing to implementation of RAC server, provide solution for load balancing, desaster management and so on.. what i had mention in the earlier post.
  Also we offer corporate training to the organization in RAC administration, ASM, Data Guard.
  I think this info will get you to understand our services..
  we welcome inquires if any from your end.
  Regards
  Venkatesh
  mail: [email protected]

• NULL SID Security Log Event ID 4625 when attempting logon to 2008 R2 Remote Desktop Session Host

  This is a new deployment of Server 2008 R2 in a newly created 08 R2 active directory on a newlyt installed 08 R2 RDSH server.
  A new generic user is created in AD. That user can log on to the terminal server on the console just fine. But that user cannot logon via RDP. Furthermore, the domain admin credentials also cannot logon via RDP.
  When either set of credentials is used, the logon attempt registered in the Windows Security Even Log as a denied attempt with Event ID 4625 reporting a NULL SID.
  Troubleshooting: The RDSH has already been disjoined and rejoined to the domain. Also, curious note, there are three ways to save the user account on the RDSH server as a valid user account which has permissions to logon. The one Microsoft recommends is to open computer management and edit the remote desktop users group. When I the accounts here and click apply, they immediately dissapear. Secondly, I can open the computer properties and go to the remote tab. There I find the user accounts added using the previous method are enumerated but not displaying correctly. They show up with the RDSH server name and a question mark. The last way, is to open the Remote Desktop Session Configuration tool and edit the properties of the rdp connection and go to the security tab. This was the only place I could get a user to ‘stick’ but the logon attempts still show a NULL SID and access is denied.
  I have scoured every bit of RDS documenation I can find with no luck.
  Thanks,
  Chris

  I am also experiencing this issue. 
  2008 servers, 2007 exchange on server 2008. 
  These are fresh servers, fresh AD. Users can log onto domain normally, RDP not working for admin accounts, generating same errors as posted above.
  The bigger issue, is that we have a cisco messaging service account that is generating this error on the DC's and the Exchange server as well. The service basically emails users voicemails to their inbox. The user we've created for the cisco service is unable
  to authenticate to the exchange server, in turn generating the same errors posted above as well. We can log on to the domain with this account just fine. 
  Any ideas on this? We have not tried re-adding the servers to the domain. 
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          5/5/2010 9:01:13 AM
  Event ID:      4625
  Task Category: Logon
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:      xx.corp
  Description:
  An account failed to log on.
  Subject:
  Security ID:                         NULL SID
                  Account Name:                 -
                  Account Domain:                             -
                  Logon ID:                             0x0
  Logon Type:                                       3
  Account For Which Logon Failed:
                  Security ID:                         NULL SID
                  Account Name:                
  xxxx
                  Account Domain:                            
  xxxx
  Failure Information:
                  Failure Reason:                 Domain sid inconsistent.
                  Status:                                  0xc000006d
                  Sub Status:                         0xc000019b
  Process Information:
                  Caller Process ID:             0x0
                  Caller Process Name:     -
  Network Information:
                  Workstation Name:        laptop
                  Source Network Address:            -
                  Source Port:                       -
  Detailed Authentication Information:
                  Logon Process:                  NtLmSsp 
                  Authentication Package:               NTLM
                  Transited Services:          -
                  Package Name (NTLM only):       -
                  Key Length:                        0

• Controlling #views/#prints and getting audit event notifications

  We have an evaluation of LiveCycle up and running, and we are negotiatons for purchase. In doing some quick proof-of-concept work, we ran across a couple issues we are looking to get help with.
  Background: We are working in .Net using LiveCycle web services. We can successfully apply a policy to a PDF using web services, and we can successfully manipulate a PDF using reader extensions using web services.
  1. We see where we can apply validity dates in the Policy, but where can we limit the number of views or prints allowed on the document? Is this even controlled by the policy, or somewhere else? We see where we can assign permissions to principles, but this is more of "Can print" or "Can view offline" but not a control on the Quantity of prints or views. Is this something we can setup via the web interface, or is it something we need to supply custom java extensions for? And if we need to supply extensions, is there any way to point us in the proper direction? (this seems like it would be fairly typical usage)
  2. How do we setup livecycle so we can get notified of audit events like "# allowed views reached" or "# allowed prints reached" or just "someone viewed this PDF". We are a .net house, so is there any way to get notifications of this externally? Or do we have to supply some sort of extensions to LiveCycle? And if we have to supply an extension, can you point us in the proper direction?
  Many thanks for any insights we can get on these issues.
  Michael

  Rob
  If you want to revoke or expire a document based on user action (i.e. printing or viewing the document) then you can do this by capturing the print or view event in your process and then have your process perform the desired steps (i.e. revoke the document).
  If you simply want to have the document revoked after a certain date or for it to only be valid for a specific period, you can do this as part of the policy definition itself.  When you create a policy, you can specifiy one of the following:
  1)  Document will not be valid after x days
  2)  Document will not be valid after this date: x
  3)  Valid from "date 1" to "date 2"
  or
  4)  Document is always valid  (which means you would need to revoke\expire the document manually or via a process)
  This functionality has always been a part of Rights management.
  Regards
  Steve

• SAS 70 Security Audit Compliance

  Hi
  I have to propose a network which is in compliance with SAS 70 Audit.
  The network is very simple. Internet Link will terminate on my ASA 5505 and from there the wires will go into my 1200 APs.The network consists only of Laptops.I will be using 802.1X authentication and would use encryption.
  Also in ASA a IPSec VPN connection to my US office will terminate. Now this network as said would undergo security audit.
  So my problem is that I am clueless. Is ACS server required for SAS 70?or will the current setup is OK. IF anyone has done this then please help.
  Thanks in advance
  Regards
  JD
  PS : This topic has also been posted in wireless forum.

  Hi,
  Since you are planning to create users using script, it will be a better practice to audit the actions, such as When the User Created, Group Membership changes etc.
  Checkout the below steps to enable auditing for AD User Changes,
  1. Open GPMC console, click Start --> Administrative Tools --> Group Policy Management.
  2. Right click the Default Domain Controllers Policy, and then click Edit.
  3. Navigate to Audit Policy node, “Computer Configuration/ Policies/ Windows Settings/ Security Settings/
  Local Policies/ Audit Policy”.
  4. Now enable the Success auditing for - Audit Account Management and Audit Directory Service Access.
  5. Execute the command “GPUPDATE /FORCE” in the Domain Controller to force apply the GPO settings.
  For Windows Server 2008 R2 and later versions, additional configuration is required in  “Advanced Audit
  Policy Configuration” section in Default Domain Controller Policy.
  1. Go to the node DS Access (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced
  Audit Policy Configuration/Audit Policies/DS Access.) 
      Enable Success auditing for the following settings
       - Audit Directory Service Changes
  2. Go to the node Account Management (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced
  Audit Policy Configuration/Audit Policies/Account Management.) 
      Enable Success auditing for the following settings
      - Audit User Account Management
  After completing the audit settings, configure SACL in Active Directory Users and Computers console for
  enabling the geneartion of AD Change events in the eventlog as shown below,
  Checkout the below KB article on complete list on Event
  ID and Description for AD Changes,
  http://support.microsoft.com/kb/947226/en-us
  You can also use
  third party auditing solution for generating compliance reports. 
  Regards,
  Gopi
  JiJi Technologies