HP UX Auditing System Extensions manual Configuring events for audit, Configuring audit filtering

Page 16

The root user runs su – non_root_user, where the target non-root user is being audited. When the root user switches to another user, the Pluggable Authentication Module (PAM) is not invoked; no authentication is done when running as root. Therefore, audit records are not generated as being triggered by the non-root target user, but are instead attributable to the root user.

Configuring events for audit

Use the audevent(1M) command to specify system activities (auditable events) that you want to audit. Auditable events are classified into event categories and profiles for easier configuration. After an event category or a profile is selected, all system calls and self-auditing events associated with that event category or profile are selected. When the auditing system is installed, a default set of event classification information is provided in /etc/audit/audit.conf file. In order to meet site-specific requirements, you can also define event categories and profiles in /etc/audit/audit_site.conf. For more information, see audit.conf(4) and audevent(1M).

On HP-UX 11i v3, the AudFilter product enables you to audit events not audited according to audevent(1M) by specifying a filtering rule that contains the !audited_event directive.

Configuring audit filtering

To configure and load audit filtering, follow these steps:

1.Customize the filtering rules in /etc/audit/filter.conf. The filter.conf file contains the rule-based audit filtering policy that the auditing subsystem uses to determine what activities to audit on the system. For more information, see filter.conf(4).

2.Start the filter daemon as follows:

# audfilterd –s

The audfilterd service daemon handles service requests from the audfilter(1M) configuration tool, and reevaluates and reloads the filtering policy whenever the mounted file system table changes. For more information, see audfilterd(1M).

3.Load the filtering rules as follows:

# audfilter –c

The audfilter configuration tool interprets the filtering policy as specified in the filter.conf configuration file and implements the policy. Use audfilter to display or clear out the filtering policy currently in effect.

Configuring audit settings to be preserved across reboots

To preserve audit settings across reboots, edit the /etc/rc.config.d/auditing file and make the following changes as needed:

AUDITING flag –- Set to 1 to enable the auditing system at system startup.

Primary and secondary log files

PRI_AUDFILE – Absolute pathname of the audit trail where audit records begin to be logged.

PRI_SWITCH – Switch size (maximum size in kilobytes) for the primary audit trail

SEC_AUDFILE – The trail to which the audit system switches when the primary reaches switch size.

SEC_SWITCH – Switch size (maximum size in kilobytes) for the secondary audit trail

Number of log files in an audit trail

16

Page 15 Page 17
Image 16
Page 15 Page 17
Contents Configuring and Managing the Auditing System HP-UX 11i v2 and 11i v3 SecurityAudience IntroductionAuditing system overview CommandsArchitecture Daemons System callsFiles Audit trail Audit tagsAudit events Version records System call table recordsPID identification records System call audit recordsAudit tunable parameters HP-UX 11i v3 only Self-auditing programsAudit aware Page Newgrp1 modaccess Setfilexsec1M modaccess Could not lock file Executing login pid = pid. ipcopen Networking service = ftpAudit unaware Remote user Usernameunspecified Local SystemDynamically Linked Kernel Modules Auditing system extensions HP-UX 11i v3 onlyAudit Filtering Installation HP-UX Auditing System AdministrationAudit Reporting Configuring users for audit ConfigurationUserdbset command. See userdbset1M and userdb4 Configuring audit filtering Configuring events for auditConfiguring audit settings to be preserved across reboots Configuring roles Role, operation, objectReads the /etc/rc.config.d/auditing file ManagementEnabling auditing Disabling auditingWriting a Dpms service module Service Provider Interfaces SPIsDpms service module implementation Best practicesAudit policy Audit generation and captureAudit retention and storage Audit log analysisAudit log configuration, security, and protection TroubleshootingOpt/audit/AudReport/bin Page Glossary Audwrite2Page For more information Send comments to HP
Top Page Image Contents