1.Deselect auditing for all users by setting the AUDIT_FLAG=0 in the

/etc/default/security file.

2.Configure auditing for a specific user using the following command

# /usr/sbin/userdbset -u user-nameAUDIT_FLAG=1.

If the audit system is not already enabled, use the audsys -ncommand to start the auditing system. Auditing changes take effect at the user's next login.

Auditing Events

An event is an action with security implications, such as creating a file, opening a file, or logging in to the system. You can audit events on an HP-UX system to enhance security by detecting possible breaches. However, the more events you choose to audit, the more system resources are used and the greater the impact on system performance. Your security architect must determine which events to audit based on your business needs and any applicable government regulations.

NOTE: HP recommends that you audit the following three events at a minimum:

admin

login

modaccess

Configure the events you want to audit before you turn on the auditing system. When an event type is selected, its associated system calls are automatically enabled. To configure events for auditing, use the audevent command. The syntax for the audevent command is as follows:

# audevent [options]

The following options are commonly used with the audevent command:

Table 6-7 audevent command options

audevent options

Description

-P

Logs successful event operations

-F

Logs unsuccessful event operations

-e [event]

Specifies an event to log

-l

Displays a complete list of event types and associated system calls

-S or -s

Change event or system call audit status

no option

display the current status of the selected events or system calls

For example, to configure admin, login, and modaccess for auditing, enter the following command:

#audevent -P -F -e admin -e login -e moddac

Both Audit Success and Audit Failure are set as event types for monitoring successful and failed events or system calls. This is the minimum event type selection recommended for running a system.

A record is written when an event type is selected for auditing, and the user initiating the event has been selected for auditing. The login event is an exception. Once selected, the login event will be recorded whether or not the user logging in has been selected for auditing.

Streamlining Audit Log Data

Some processes invoke a series of actions that can be audited. To reduce the amount of audit log data collected and to provide for more meaningful notations in the audit log files, some of these

78 Standard Mode Security Extensions

Page 78
Image 78
HP UX 11i Role-based Access Control (RBAC) Software Auditing Events, Streamlining Audit Log Data, Audevent command options