HP UX Auditing System Extensions manual Configuration, Configuring users for audit

Page 15

HP-UX Auditing System Extensions (HP-UX 11i v3)

The auditing system is installed as part of the base HP-UX 11i v3 distribution. However, Auditing System Extensions bundle must be installed to make use of the AudReport and AudFilter product features.

Both products are available on software.hp.com and have Release Notes on the Business Support Center that contain details about product compatibility, installation requirements, patch requirements, and installation instructions.

Configuration

This section describes guidelines and steps for configuring users for audit, configuring events for audit, and roles.

Configuring users for audit

Users are audited depending on the value of either the system wide AUDIT_FLAG security attribute or the per-user AUDIT_FLAG security attribute. The AUDIT_FLAG security attribute is described in security(4). A user is audited if either of the following conditions is true:

The user AUDIT_FLAG is set to 1.

The system wide AUDIT_FLAG is set to 1.

To set the system wide and per-user AUDIT_FLAG values, use either of the following methods:

userdbset command. See userdbset(1M) and userdb(4).

HP-UX Security Attributes Configuration tool. See secweb(1M).

The audit user selection policy is based on the AUDIT_FLAG setting for the user responsible for the event. The responsible user is traced back to the original login user, not to the user corresponding to the real or effective user at the moment an event happens. For example, a user logins as user “Joe” and then either executes a setuid program to run as user “Ben” or issues the su command to the target user “Ben.” All events that occur while “Joe” is running as “Ben” are attributable to the original login user “Joe” and are audited depending on the AUDIT_FLAG security attribute for login user “Joe,” not on the AUDIT_FLAG security attribute for user “Ben.” For su(1), you can modify this user selection policy to audit based on the target user (see description of the bypass_setaud flag in pam_hpsec(5)), if su(1) requires the source user to be authenticated and the authentication is successful. Because root does not need to authenticate when invoking su(1), users logged in as root are always audited as user root, regardless of the bypass_setaud flag setting for su(1).

If a user is not selected for auditing, audit records associated with the user are generated in the following cases:

At the time user starts a session and ends a login session. Those events are considered system events more than user events and are therefore generated based on whether the login event is being audited rather than whether the user is being audited.

By programs that do self-auditing and make arbitrary decisions to ignore the user selection.

If Audit Filtering (11i v3 only) is configured to generate audit records for those users who are not selected for auditing using the !audited_process flag. See filter.conf(4).

System call auditing of inetd spawned daemons if inetd is not started with the –aoption.

If a user is selected for auditing, audit records associated with the user are not generated in the following case:

15

Image 15
Contents HP-UX 11i v2 and 11i v3 Security Configuring and Managing the Auditing SystemIntroduction AudienceCommands Auditing system overviewArchitecture System calls DaemonsFiles Audit tags Audit trailAudit events System call audit records Version recordsSystem call table records PID identification recordsSelf-auditing programs Audit tunable parameters HP-UX 11i v3 onlyAudit aware Page Newgrp1 modaccess Setfilexsec1M modaccess Could not lock file Remote user Usernameunspecified Local System Executing login pid = pid. ipcopenNetworking service = ftp Audit unawareAuditing system extensions HP-UX 11i v3 only Dynamically Linked Kernel ModulesAudit Filtering HP-UX Auditing System Administration InstallationAudit Reporting Configuration Configuring users for auditUserdbset command. See userdbset1M and userdb4 Configuring events for audit Configuring audit filteringConfiguring audit settings to be preserved across reboots Role, operation, object Configuring rolesDisabling auditing Reads the /etc/rc.config.d/auditing fileManagement Enabling auditingBest practices Writing a Dpms service moduleService Provider Interfaces SPIs Dpms service module implementationAudit generation and capture Audit policyAudit log analysis Audit retention and storageTroubleshooting Audit log configuration, security, and protectionOpt/audit/AudReport/bin Page Audwrite2 GlossaryPage Send comments to HP For more information