HP UX Auditing System Extensions manual Troubleshooting, Opt/audit/AudReport/bin

Page 22

Audit Trail Reports (auditdp) in HP-UX 11i v3. In addition, you can use the following tools in

/opt/audit/AudReport/bin:

audit_p2l — This sample script demonstrates how to convert audit data in portable format (see audit_hpux_portable(5)) to message lines similar to syslog. The script takes no options or arguments. It reads portable audit data from stdin and outputs the message lines to stdout. For example, in order to convert HP-UX raw audit data to messages in follow mode and store the results in /var/adm/auditlog, issue the following command line:

$ auditdp -r <raw_audit_log> -P -o follow -O sync \ audit_p2l > /var/adm/auditlog &

auditreport_generator — This sample script demonstrates how to use the auditdp command (see auditdp(1M)) to generate a collection of web-based audit reports, for example, login history data, logoff history data, su history data, root account activities report, and file access report.

auditreport_setup_web — This sample script sets up the Apache server properly to bring up the generated audit reports in a web browser. It includes setting up the password that is required to access the audit reports through web; setting up the http alias; and restarting or bringing up the Apache server.

Audit log configuration, security, and protection

Ensuring the confidentiality, integrity, and availability of logs is very important. As you plan for this, remember the following:

Logging mechanisms must neither be deactivated nor compromised to provide business continuity of logging services in the event of an incident.

Ensure that log files cannot be edited or deleted. Generally only administrators and auditors must have access to log files for review and management only. All privileged user (the administrator and auditor) access must be logged and reviewed thoroughly and frequently by others outside that user domain.

Communications must be protected with mechanisms such as encryption (for example, HP-UX IPSec and SSL).

Protect the confidentiality and integrity of log files using either message digests or encryption or digital signatures.

Provide adequate physical protection for logging mechanisms and stored logs by preventing unauthorized physical access.

Troubleshooting

This section describes potential problems and their solutions. To stay current with product updates and patches, monitor the HP security software news and events web site at www.hp.com/security.

Self-audit login events are being generated for users even though they are disabled for auditing.

When a user remotely logs in using telnet, ssh, and remsh, user authentication is performed by the pam_hpsec(5) PAM module. The module always generates self-audit login events, regardless of whether auditing for a user is enabled (AUDIT_FLAG=1) or disabled (AUDIT_FLAG=0).

Likewise, logoff events are generated by a DLKM when the user logs off.

System call level events are being generated for daemons spawned by inetd (for example, telnetd(1M) and remshd(1M)) even though auditing is disabled for user root.

22

Page 21 Page 23
Image 22
Page 21 Page 23
Contents Configuring and Managing the Auditing System HP-UX 11i v2 and 11i v3 SecurityAudience IntroductionAuditing system overview CommandsArchitecture Daemons System callsFiles Audit trail Audit tagsAudit events PID identification records Version recordsSystem call table records System call audit recordsAudit tunable parameters HP-UX 11i v3 only Self-auditing programsAudit aware Page Newgrp1 modaccess Setfilexsec1M modaccess Could not lock file Audit unaware Executing login pid = pid. ipcopenNetworking service = ftp Remote user Usernameunspecified Local SystemDynamically Linked Kernel Modules Auditing system extensions HP-UX 11i v3 onlyAudit Filtering Installation HP-UX Auditing System AdministrationAudit Reporting Configuring users for audit ConfigurationUserdbset command. See userdbset1M and userdb4 Configuring audit filtering Configuring events for auditConfiguring audit settings to be preserved across reboots Configuring roles Role, operation, objectEnabling auditing Reads the /etc/rc.config.d/auditing fileManagement Disabling auditingDpms service module implementation Writing a Dpms service moduleService Provider Interfaces SPIs Best practicesAudit policy Audit generation and captureAudit retention and storage Audit log analysisAudit log configuration, security, and protection TroubleshootingOpt/audit/AudReport/bin Page Glossary Audwrite2Page For more information Send comments to HP
Top Page Image Contents