HP UX Auditing System Extensions Auditing system extensions HP-UX 11i v3 only, Audit Filtering

Page 13

Failed login attempt - login incorrect.

Failed login attempt - anonymous password not rfc822. (ipcopen)

The login event for the Service=su self-audit event is only generated when the pam.conf entry for su does not have the bypass_setaud flag set and when source user is not root. See pam_hpsec(5).

Dynamically Linked Kernel Modules

DLKMs can generate the following self-audit records:

Command command tried to execute code from stack

Command command has core dumped

logoff event: Service=telnetloginsshshellexec User=login_user (login) Generated only when AudReport product is installed.

logoff event SID session_id PGRP process_group PPID parent_pid PID pid program (login) Generated only when AudReport product is not installed

Auditing system extensions (HP-UX 11i v3 only)

On HP-UX 11i v3, HP-UX Auditing System Extensions extends the features of the HP-UX Auditing System by offering the following features and benefits to better facilitate regulatory compliance:

Enhanced audit data (for example, program name and source IP address)

Enhanced filtering capabilities to filter non-relevant data based on customer-specific needs and improve the quality of the audit trail

Performance improvement by reducing the I/O activities of logging events that are not required to be logged

Enhanced manageability of the audit log data

Command line interface and a set of open APIs for extracting audit data

Tools to generate web-based audit reports from HP-UX raw audit data

HP-UX Auditing System Extensions provides two major products for enhanced audit record filtering and reporting.

Audit Filtering

Audit Filtering features are available on HP-UX 11i v3 with the AudFilter product that contains a set of tools to customize and enforce the audit data pre-filtering policy on the system and the audit_filters DLKM that makes filtering decisions and enforces the filtering policy in the kernel. An efficient pre-filtering policy controls the size and quality of the raw data, minimizes the performance impact of auditing, and reduces the operational cost associated with audit data management. The AudFilter product consists of the following major components:

The filter.conf configuration file that specifies the rule-based audit record pre-filtering policy enforced in the kernel. For more information, see filter.conf(4).

The audfilter configuration tool to interpret the filtering policy as specified in the configuration file, filter.conf, and to implement the policy. You can also use the audfilter tool to display or clear out the filtering policy currently being enforced in the kernel. For more information, see audfilter(1M).

The audfilterd service daemon handles service requests from the audfilter tool, and reevaluates and reloads the filtering policy whenever the mounted file system table changes. For more information, see audfilterd(1M).

13

Image 13
Contents HP-UX 11i v2 and 11i v3 Security Configuring and Managing the Auditing SystemIntroduction AudienceAuditing system overview CommandsArchitecture Daemons System callsFiles Audit trail Audit tagsAudit events System call table records Version recordsPID identification records System call audit recordsSelf-auditing programs Audit tunable parameters HP-UX 11i v3 onlyAudit aware Page Newgrp1 modaccess Setfilexsec1M modaccess Could not lock file Networking service = ftp Executing login pid = pid. ipcopenAudit unaware Remote user Usernameunspecified Local SystemDynamically Linked Kernel Modules Auditing system extensions HP-UX 11i v3 onlyAudit Filtering Installation HP-UX Auditing System AdministrationAudit Reporting Configuring users for audit ConfigurationUserdbset command. See userdbset1M and userdb4 Configuring audit filtering Configuring events for auditConfiguring audit settings to be preserved across reboots Role, operation, object Configuring rolesManagement Reads the /etc/rc.config.d/auditing fileEnabling auditing Disabling auditingService Provider Interfaces SPIs Writing a Dpms service moduleDpms service module implementation Best practicesAudit generation and capture Audit policyAudit log analysis Audit retention and storageAudit log configuration, security, and protection TroubleshootingOpt/audit/AudReport/bin Page Audwrite2 GlossaryPage Send comments to HP For more information