HP UX Auditing System Extensions manual HP-UX Auditing System Administration, Installation

Page 14

The audit_filters DLKM makes filtering decisions and enforces the filtering policy in the kernel. Filtering in the kernel can occur both before and after the invocation of the system call code. See the definitions of system call pre-filtering and post-filtering in Glossary.

Audit Reporting

The AudReport product consists of the following components:

Commands

auditdp(1M) — An audit data processing tool that selectively extracts, or filters, audit data from a data source in one of several possible formats and writes the data to the target, in the same or different format. The tool uses the DPMS framework, and is available only on HP-UX 11i v3 with the AudReport product installed.

Libraries

DPMS (Data Process Module Switch) — A framework implemented as a library that contains a set of common programming interfaces (APIs) and Service Modules to selectively read and write audit data in various formats (for example, XML Audit Reports).

DPMS provides a layer of separation between applications (for example, auditdp(1M)) that need to extract information from audit data source and the underlying modules that have the knowledge about the internal data format. This framework is primarily designed for HP-UX audit data that the HP-UX system collects (see audit (5)). However, the framework allows service modules to be plugged in to handle the data in any format. With this layer of separation, an application can treat any data using the same APIs by simply applying the service module corresponding to the given set of data. The application does not need knowledge about the internal format of the data to use the information.

For more information on DPMS, see audit_dpms(5). For a description of the various DPMS Service Modules, see audit_hpux_portable(5), audit_hpux_raw(5), and audit_hpux_xml(5). For a description of the Audit DPMS APIs that applications writers use, see audit_dpms_api(3). For a description of the Audit DPMS Service Provider Interface that a DPMS Service Module writer must support, see audit_dpms_spi(3). For a description of the configuration file for filtering Audit DPMS data, see audit_dpms_filter(4). For a description of how a DPMS service module is implemented, see Writing a DPMS service module.

Files

One or more configuration files that you can use to select auditing information in the audit trail to include in an audit report. You specify the files using the auditdp –Soption. They contain filtering rules that are described in audit_dpms_filter(4).

HP-UX Auditing System Administration

This section describes the basic installation, configuration, and management of the HP-UX Auditing System by the Audit Administrator.

Installation

The features described in this paper assume the following software has been installed, depending on the HP-UX release:

HP-UX Standard Mode Security Extensions (SMSE) (HP-UX 11i v2)

Previously, the auditing system was only supported on systems converted to trusted mode. By installing the HP-UX Standard Mode Security Extensions bundle, you can now perform audits without converting the system to trusted mode.

14

Page 13 Page 15
Image 14
Page 13 Page 15
Contents Configuring and Managing the Auditing System HP-UX 11i v2 and 11i v3 SecurityAudience IntroductionArchitecture CommandsAuditing system overview Files System callsDaemons Audit events Audit tagsAudit trail PID identification records Version recordsSystem call table records System call audit recordsAudit tunable parameters HP-UX 11i v3 only Self-auditing programsAudit aware Page Newgrp1 modaccess Setfilexsec1M modaccess Could not lock file Audit unaware Executing login pid = pid. ipcopenNetworking service = ftp Remote user Usernameunspecified Local SystemAudit Filtering Auditing system extensions HP-UX 11i v3 onlyDynamically Linked Kernel Modules Audit Reporting HP-UX Auditing System AdministrationInstallation Userdbset command. See userdbset1M and userdb4 ConfigurationConfiguring users for audit Configuring audit settings to be preserved across reboots Configuring events for auditConfiguring audit filtering Configuring roles Role, operation, objectEnabling auditing Reads the /etc/rc.config.d/auditing fileManagement Disabling auditingDpms service module implementation Writing a Dpms service moduleService Provider Interfaces SPIs Best practicesAudit policy Audit generation and captureAudit retention and storage Audit log analysisOpt/audit/AudReport/bin TroubleshootingAudit log configuration, security, and protection Page Glossary Audwrite2Page For more information Send comments to HP
Top Page Image Contents