HP UX Auditing System Extensions manual Audit policy, Audit generation and capture

Page 20

Audit policy

Develop a policy for auditing based on the amount of security the site requires, the types of users administered, and the costs of auditing. Document the policies, perform periodic reviews, and update policies as needed. Based on the policy, take the following decisions as part of planning:

Decide which users and events to audit based on the site policy.

Decide whether to audit the selected events for success, for failure, or both. Auditing for failure locates abnormal events; auditing for success monitors system use.

Determine level and format of audit info depending on the site policy.

Define roles (who gets to do what)

Security Administrator

Plans what to audit according to site security policy and goal; implements policies; and develops an archive strategy and encryption of archives.

System Administrator

Plans for disk space (local and remote) and other resources; configures automatic backup, archiving, and log rotation; and for centralized management, determines audit server and network layout of audited systems.

HP-UX RBAC

Implement roles such as readers of audit trails to protect audit trails from snooping.

Establish standard operational procedures to support and maintain the policies. For example:

Decide whether audit subsystem must block, suspending system activities so no audit data is ever lost, or must discard records rather than suspending system activities when the disk space is exceeded on audit file systems.

Determine a regular maintenance schedule that can automatically back up and free up space for more audit records.

Audit generation and capture

Collecting sufficient data to meet the requirements of regulations and forensic analysis is a big challenge. For example, the payment card industry standard requires organizations to track and monitor all access to network resources and cardholder data. Data must be collected from many sources including security systems, operating and storage systems, and applications. Events that must be recorded include the following:

Privileged, administrative or root access.

Enabling and disabling of security system and accesses to audit logs.

System and service startup and shutdown.

File accesses and changes to access rights on servers.

Rejected system, application, file, or data access attempts and other failed actions.

Login attempts and the amount of data sent and received during the session on remote access and wireless access system.

Note:

Log sources typically reference an internal clock when placing a time stamp on a log entry. Ensure all log sources internal clocks are synchronized to a trusted, accurate time server.

20

Image 20
Contents Configuring and Managing the Auditing System HP-UX 11i v2 and 11i v3 SecurityAudience IntroductionArchitecture CommandsAuditing system overview Files System callsDaemons Audit events Audit tagsAudit trail Version records System call table recordsPID identification records System call audit recordsAudit tunable parameters HP-UX 11i v3 only Self-auditing programsAudit aware Page Newgrp1 modaccess Setfilexsec1M modaccess Could not lock file Executing login pid = pid. ipcopen Networking service = ftpAudit unaware Remote user Usernameunspecified Local SystemAudit Filtering Auditing system extensions HP-UX 11i v3 onlyDynamically Linked Kernel Modules Audit Reporting HP-UX Auditing System AdministrationInstallation Userdbset command. See userdbset1M and userdb4 ConfigurationConfiguring users for audit Configuring audit settings to be preserved across reboots Configuring events for auditConfiguring audit filtering Configuring roles Role, operation, objectReads the /etc/rc.config.d/auditing file ManagementEnabling auditing Disabling auditingWriting a Dpms service module Service Provider Interfaces SPIsDpms service module implementation Best practicesAudit policy Audit generation and captureAudit retention and storage Audit log analysisOpt/audit/AudReport/bin TroubleshootingAudit log configuration, security, and protection Page Glossary Audwrite2Page For more information Send comments to HP