HP UX Auditing System Extensions manual Configuration, Configuring users for audit

•HP-UX Auditing System Extensions (HP-UX 11i v3)

The auditing system is installed as part of the base HP-UX 11i v3 distribution. However, Auditing System Extensions bundle must be installed to make use of the AudReport and AudFilter product features.

Both products are available on software.hp.com and have Release Notes on the Business Support Center that contain details about product compatibility, installation requirements, patch requirements, and installation instructions.

Configuration

This section describes guidelines and steps for configuring users for audit, configuring events for audit, and roles.

Configuring users for audit

Users are audited depending on the value of either the system wide AUDIT_FLAG security attribute or the per-user AUDIT_FLAG security attribute. The AUDIT_FLAG security attribute is described in security(4). A user is audited if either of the following conditions is true:

•The user AUDIT_FLAG is set to 1.

•The system wide AUDIT_FLAG is set to 1.

To set the system wide and per-user AUDIT_FLAG values, use either of the following methods:

•userdbset command. See userdbset(1M) and userdb(4).

•HP-UX Security Attributes Configuration tool. See secweb(1M).

The audit user selection policy is based on the AUDIT_FLAG setting for the user responsible for the event. The responsible user is traced back to the original login user, not to the user corresponding to the real or effective user at the moment an event happens. For example, a user logins as user “Joe” and then either executes a setuid program to run as user “Ben” or issues the su command to the target user “Ben.” All events that occur while “Joe” is running as “Ben” are attributable to the original login user “Joe” and are audited depending on the AUDIT_FLAG security attribute for login user “Joe,” not on the AUDIT_FLAG security attribute for user “Ben.” For su(1), you can modify this user selection policy to audit based on the target user (see description of the bypass_setaud flag in pam_hpsec(5)), if su(1) requires the source user to be authenticated and the authentication is successful. Because root does not need to authenticate when invoking su(1), users logged in as root are always audited as user root, regardless of the bypass_setaud flag setting for su(1).

If a user is not selected for auditing, audit records associated with the user are generated in the following cases:

•At the time user starts a session and ends a login session. Those events are considered system events more than user events and are therefore generated based on whether the login event is being audited rather than whether the user is being audited.

•By programs that do self-auditing and make arbitrary decisions to ignore the user selection.

•If Audit Filtering (11i v3 only) is configured to generate audit records for those users who are not selected for auditing using the !audited_process flag. See filter.conf(4).

•System call auditing of inetd spawned daemons if inetd is not started with the –aoption.

If a user is selected for auditing, audit records associated with the user are not generated in the following case:

15