HP UX Auditing System Extensions manual 12

Audit unaware

Some self-auditing programs do not invoke the audswitch(2) system call to suspend system call auditing on themselves, nor directly invoke audwrite(2) to generate self-audit records. Instead, these privileged programs invoke a library routine that generates a self-auditing event on its behalf. For example, telnetd(1M) is a privileged program that invokes the pam_hpsec(5) PAM module for authenticating users. The hpsec PAM module invokes the audwrite(2) system call to generate successful and failed login self-audit events on behalf of telnetd. In addition, a logoff self-auditing event is generated on telnetd’s behalf by a DLKM.

The following self-auditing programs invoke the hpsec PAM module for authenticating users:

•telnetd(1M), rlogind(1M), sshd(1M), remshd(1M), rexecd(1M), su(1), ftpd(1M)

(login,ipcopen)

login event: Service=telnetloginsshftp User=login_user Status=Successful (login)

login event: Service=shellexec User=login_user Status=Successful Command="command & args" RemoteUser=remote_user

login event: Service=telnetloginsshftp> User=login_user Status=Failed ("Authentication failed") (login)

login event: Service=su User=target_user Status=Failed("Authentication failed")

login event: Service=ftp User=login_user Status=Failed

login event: Service=telnetlogin User=login_user Status=Failed ("No account present for user") (login)

login event: Service=shellexec User=login_user Status=Failed("Access denied by ruserok.") Command="command & args" RemoteUser=remote_user

Login successful. User = username Repeated login failures.

Failed login attempt - shell not in /etc/shells. Failed login attempt - name in /etc/ftpd/ftphosts. Failed login attempt - Anonymous FTP access denied. Failed login attempt - guest login not permitted. Failed login attempt - access denied for user. Failed login attempt - user unknown.

Failed login attempt - user access denied.

Failed login attempt - Kerberos authentication must succeed.

12