Wazuh and Sun Solaris Basic Security Module (BSM)

[Shashiduth Takoor]

Hello,

I have some queries regarding the capabilities of the Wazuh agent in terms of log data collection for Sun Solaris BSM.

1. Is the Wazuh agent (version 4.0.4 and 4.1.0) capable of monitoring system logs from SunOS out of the box as there is already a predefined ruleset "0100-solaris_bsm_rules.xml" available?

We are currently testing on Solaris i386 and Sparc 11.3 and BSM has been enabled on both.
2. Is the Wazuh manager able to read the audit log from the existing binary format (BSM) or do we have to convert it to a human-readable log format using praudit?

3. Does the Wazuh agent push the log to the manager automatically or do we have to manually create an auditlog file and add an audit.notice entry to the syslog.conf file for Wazuh to retrieve the converted logs?

Kindly advise.

Thanks and best regards,
Shashiduth

--

[Juan Ricci]

Hello Shashiduth,

The easier way for you to verify the log format that is able to be decoded by the Wazuh built-in ruleset is by checking the related decoder file and looking for example logs in it. For example, as you are working with Sun Solaris BSM, the parent rule in the "0100-solaris_bsm_rules.xml" file uses the "solaris_bsm" decoder which is located in the "0290-solaris_decoders.xml" file. There you can find the following example logs:

  - Nov 21 15:12:56 unknown audit: [ID 905220 audit.notice] system booted

    text booting kernel

  - Nov 21 15:16:22 unknown audit: [ID 984917 audit.notice] login - telnet

    failed session 2740580090 by root as root:root from 1.254.168.192

  - failed session 2740580090 by root as root:root from 1.254.168.192

  - ok session 347344759 by 500959152 as root:root from 3.11.8.4 obj

Those logs can be used for testing the built-in decoders and rules by executing ossec-logtest or wazuh-logtest (depending on your Manager version) which are located in /var/ossec/bin. When executing this testing program, you can feed it with the example logs and see the matched decoders and rules. This is an output example for the first example log:

[root@manager rules]# /var/ossec/bin/ossec-logtest

2021/02/25 14:23:30 ossec-testrule: INFO: Started (pid: 3865).

ossec-testrule: Type one log per line.

Nov 21 15:12:56 unknown audit: [ID 905220 audit.notice] system booted

    text booting kernel

**Phase 1: Completed pre-decoding.

       full event: 'Nov 21 15:12:56 unknown audit: [ID 905220 audit.notice] system booted'

       timestamp: 'Nov 21 15:12:56'

       hostname: 'unknown'

       program_name: 'audit'

       log: 'system booted'

**Phase 2: Completed decoding.

       decoder: 'solaris_bsm'

**Phase 3: Completed filtering (rules).

       Rule id: '6100'

       Level: '0'

       Description: 'Solaris BSM Auditing messages grouped.'

That being said, the format of these logs is the proper for the built-in Solaris BSM decoders and rules so you might need to configure your environment for sending logs like these (but not in binary format).

The Agent is able to get logs depending on your localfile option configuration that is defined in the agent.conf file. For example, on Unix-like systems, the localfile configuration will look like the following:

<localfile> 

  <location>/var/log/example.log</location>

  <log_format>syslog</log_format> 

</localfile>

Kindly check the file where Solaris BSM is storing the logs and check whether the log path is included in the agent.conf file under the localfile option. For more information you can refer the following documentation links:

https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html?highlight=localfile

https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#log-collection

Please let me know if you have any further question.

Best regards.

Juan