Event Monitoring Enabling Responses to Anomalous Live Disturbances


  1. Installing eXpert-BSM
  2. Configuring eXpert-BSM
  3. Starting and running eXpert-BSM
  4. Resources consumed by eXpert-BSM
  5. Other questions about eXpert-BSM
  6. Solaris questions

Installing eXpert-BSM

Q: Why do I need to run the installation script as root?

A: If you intend to run eXpert-BSM in real-time mode, the installation script needs root privileges to set up the audit configuration files in /etc/security and to make the programs ebsmsetpolicy and ebsmprobe setuid to root. It is also needed for setting up the scripts for automatic start at boot time. However, if you intend to use eXpert-BSM only for analysis of BSM audit files produced by some other probe (for example auditd), you do not need to run the installation as root.

Configuring eXpert-BSM

Q: Why do I need to configure eXpert-BSM? Why isn't it just plug and play?

A: For an intrusion detection system to be effective at your site, you must tell it what your site-specific needs and policy are. eXpert-BSM lets you configure a large number of parameters to make sure that when in operation at your site, its false alarm rate becomes very low and its detection rate becomes very high.

Q: I have a very active process that I don't want eXpert-BSM to monitor, how can I exclude that process from being monitored?

A: If that process is run under a specific user account, you could turn off auditing for that user account by adding the following line to /etc/security/audit_user :
and then stopping and restarting eXpert-BSM. If you want to disable auditing for a specific process id, then you can give the command
/usr/sbin/auditconfig -setpmask  pid  no
as root (no need to restart eXpert-BSM in that case).

Q: What must I do if I add a new user and/or admin to the system?

A: For a new user, the file resource-object/config/username_map.conf must be updated. That file should contain a mapping between user id and username for every user account on the system, to avoid the performance penalty of NIS lookups. You could either edit the file manually, or remove it and run the install script again to create a new username map from the information in /etc/passwd and NIS. For a new admin, the list of admins in resource-object/config/eXpert-Config.inc must be updated. After updating the configuration files, eXpert-BSM must be stopped and restarted for the changes to take effect (see the next question).

Q: Is there any way of saying "reread the config file" without stopping and restarting eXpert-BSM?

A: Yes, eXpert-BSM has dynamic reconfiguration. Please see the user guide.

Q: Should the loopback interface "lo0" be listed in EMERALD_NIC_NAMES?

A: No. That list is only used for the heuristic that checks whether an interface was put in promiscuous mode, and that does not apply to the loopback interface.

Q: Do I need to include localhost ( in the local_netmap.conf file?

A: No. The address is a special case and is handled correctly in the relevant heuristics regardless of whether it is in the configuration file or not.

Q: When I list files in resource-object/config/eXpert-Config.inc, for example the BSM_SYSTEM_RESOURCE_FILES list, does it matter if some of the filenames are really symbolic links?

A: Yes, it does matter in the current release. The path names you put in the configuration file should not contain symbolic links. For example, /etc/inetd.conf is often a symbolic link to /etc/inet/inetd.conf, and it is the latter (expanded path) that should be in the configuration file. This requirement is likely to be removed in the future.

Starting and running eXpert-BSM

Q: I have started eXpert-BSM. What can I do to be sure that it is running and detecting attacks?

A: You could launch your own controlled attacks as described in the documentation of the test battery. For example, log in as a user not listed as an admin and su to a user listed as an admin (remember to perform your attacks from another fresh login session than where you started eXpert-BSM, see the next question).

Q: I started eXpert-BSM and launched an attack that it should detect, but no alert was produced. Why?

A: The most likely reason is that the process where you launched your attack has the same session ID (a common ancestor login process) as the process from which eXpert-BSM was started. eXpert-BSM turns off auditing for the session it is running in, to avoid recursive effects. Exit the login session where you started eXpert-BSM or login remotely from another host to get a new login session, and try again. If that does not work, make sure that you have configured eXpert-BSM properly, for example that you listed the administrative accounts in the file resource-object/config/eXpert-Config.inc

Also, remember that many of the heuristics base their reasoning on the audit id, that is the identity used when logging in, regardless of subsequent identity changes through su.

Q: I started eXpert-BSM on a Solaris 2.6 or 2.7 system and the system immediately crashed. Why?

A: It is clearly stated in the documentation and in the output from the installation script that Solaris 2.6 and 2.7 have a bug that causes this crash, and therefore must have patches installed. See the System Requirements section in the user documentation.

Q: eXpert-BSM keeps producing alerts about one type of operation which we consider perfectly legitimate according to our site's security policy. How can we make it stop alerting about this condition while still monitoring everything else?

A: First, make sure that all parameters are properly configured. If so, you can choose to disable selected heuristics by removing them from the list of enabled heuristics in resource-object/config/eXpert-Config.inc.

Q: When I try to start the GUI, I get the message "Class not found: com.sri.intrusion.view.ListView" and no GUI comes up. What is wrong?

This is what happens when the DISPLAY variable is not set correctly in your environment. Make sure that you can run any X program such as xlogo before trying to start the GUI again.

Q: I tried to start a second eXpert-BSM monitor on the same machine, but it did not work. Why?

A: Running more than one eXpert-BSM monitor on the same machine will not work in real-time mode because only one process can record audit records from the kernel. That is also the reason why auditd cannot coexist with ebsmprobe. For batch mode, you can run several eXpert-BSM monitors in parallell as long as you are careful about not clearing a results directory that another monitor is writing to.

Resources consumed by eXpert-BSM

Q: How big will eXpert-BSM processes grow?

A: When eXpert-BSM is running in real-time mode, there are these basic active processes:

start script, idle after initialization, size < 1.5MB
audit record probe, size < 2MB
audit record buffer handler, size depends on system load but should not exceed approx. 16MB, usually much smaller (1.5MB)
audit record formatter, size < 3.5MB
main analysis and reporting engine, size < 3.5MB
In addition, if you chose to start the GUI, there is also:
Java runtime environment, size < 15MB.

Q: Will eXpert-BSM fill up my disk space eventually?

A: eXpert-BSM does not save audit records to a file. All records are consumed through inter-process communication and are deleted immediately after analysis. On a very active system, the bsm-generator file which contains counters of the number of records produced, could grow large if eXpert-BSM is run for a long period of time. Stopping and starting eXpert-BSM clears this file if you choose to clear the results directory.

Q: Will I experience significant performance degradation?

A: In the design of eXpert-BSM, this has been one of our major concerns. We have taken extensive measures to reduce performance degradation, including audit record preselection which typically reduces the number of audit records produced by the kernel to 11% of all possible records. Our own tests indicate that a performance degradation less than 5% could be expected for certain server configurations. However, the actual performance impact depends on your specific system configuration and how your system is used. We would like to receive feedback from users on this issue.

Other questions about eXpert-BSM

Q: Is eXpert-BSM free software?

A: No, it is not free, see the license agreement for details. In summary, you are given the right to use eXpert-BSM free of charge for a limited period of time as stated in the agreement, provided that you give us feedback on your experiences using eXpert-BSM. If you wish to explore how you might gain longer term access to this tool or other EMERALD components, you may send requests for special use of this component to the EMERALD Program Director, Phil Porras porras@sdl.sri.com.

Solaris questions

Q: How can I tell whether Solaris runs in 32 or 64 bit mode?

A: Only Solaris 7 or newer can run in 64-bit mode. To find out what your system runs, use the command:

/usr/bin/isainfo -kv

Q: How can I boot Solaris 7 or 8 in 32 or 64 bit mode?

A: Sync and halt your system to enter the OpenBoot monitor (ok prompt). Examine the boot-file parameter:

printenv boot-file

If it is empty, then the current mode (32 or 64) is the default mode for your installation.

  • To boot in 32-bit mode (if not the default):

    setenv boot-file /kernel/unix
    (or, if that does not work, use /platform/sun4u/kernel/unix )

  • To boot in 64-bit mode (if not the default):

    setenv boot-file /kernel/sparcv9/unix
    (or, if that does not work, use /platform/sun4u/kernel/sparcv9/unix )

  • To go back to the default (empty) setting:

    set-default boot-file


  Release notes EMERALD System Design Lab SRI International Contact