HP UX Auditing System Extensions manual Audit tags, Audit trail, Audit events

Page 5

Audit tags

When a user logs in, a unique audit session ID called an audit tag is generated and associated with all audit records for the user's processes associated with that login. The audit tag is a string that includes the login name and the login time, and remains the same during the login session. Even if a user changes identity within a single session, all events are still recorded with the same audit tag and accountable under the original login user's name.

Audit trail

An audit trail contains all audit records in chronological order and provides a complete information trail for display and analysis. An active audit trail must be in use whenever the auditing system is enabled. Access to the auditing system, including the audit trails, is restricted to privileged users.

The Primary Audit Trail is the current audit trail in which audit records are currently being written, while the Secondary Audit Trail is the next audit trail that will store new audit records when certain capacity limits are reached for the Primary Audit Trail. The trail names and various attributes for the trails, such as the capacity limits, are set using the audsys(1M) command.

The audomon(1M) daemon determines when the current trail exceeds a specified size or when the auditing file system is dangerously full. When that occurs, the daemon automatically switches the Primary Audit Trail to the Secondary Audit Trail with the same base name but with a different timestamp extension. You can specify a script when starting audomon(1M) to perform various operations on the Primary Audit Trail that was just successfully switched, such as remotely copying the audit trail to a remote, centralized server for archiving purposes.

For performance reasons, the HP-UX Auditing System on 11i v3 is by default in normal mode in which the audit trail consists of multiple files under a single directory to allow concurrent writing of audit records by the kernel Audit Daemon. You can also configure the HP-UX Auditing System in compatibility mode in which the audit trail is a single file. For information on how to modify the audit trail mode on HP-UX 11i v3, see audsys(1M). For HP-UX Auditing System on 11i v2, an audit trail can only consist of a single file.

Audit events

The auditing system records instances of access by subjects to objects on the system in log files for selective security related system events. Audit events, also known as audit records, are generated when users make security-relevant system calls and when self-auditing programs invoke audwrite(2) to generate self-audit records. Each system call audit record and self-audit record contains the following information about the event:

Who caused the event (the subject)

Real and effective user name and process id

Audit session id and audit tag

Name of command executed to trigger the event

Hostname and IP address of source host from where the user logged in

What is the event

The event type: a system call event or a self-audit event

The object (for example, file being modified and the user login account)

Action performed on the object (for example, modification of a file’s permissions)

Whether the event succeeded or failed. If it failed, the reason for the failure.

5

Page 4 Page 6
Image 5
Page 4 Page 6
Contents HP-UX 11i v2 and 11i v3 Security Configuring and Managing the Auditing SystemIntroduction AudienceArchitecture CommandsAuditing system overview Files System callsDaemons Audit events Audit tagsAudit trail System call table records Version recordsPID identification records System call audit recordsSelf-auditing programs Audit tunable parameters HP-UX 11i v3 onlyAudit aware Page Newgrp1 modaccess Setfilexsec1M modaccess Could not lock file Networking service = ftp Executing login pid = pid. ipcopenAudit unaware Remote user Usernameunspecified Local SystemAudit Filtering Auditing system extensions HP-UX 11i v3 onlyDynamically Linked Kernel Modules Audit Reporting HP-UX Auditing System AdministrationInstallation Userdbset command. See userdbset1M and userdb4 ConfigurationConfiguring users for audit Configuring audit settings to be preserved across reboots Configuring events for auditConfiguring audit filtering Role, operation, object Configuring rolesManagement Reads the /etc/rc.config.d/auditing fileEnabling auditing Disabling auditingService Provider Interfaces SPIs Writing a Dpms service moduleDpms service module implementation Best practicesAudit generation and capture Audit policyAudit log analysis Audit retention and storageOpt/audit/AudReport/bin TroubleshootingAudit log configuration, security, and protection Page Audwrite2 GlossaryPage Send comments to HP For more information
Top Page Image Contents