Audit unaware

Some self-auditing programs do not invoke the audswitch(2) system call to suspend system call auditing on themselves, nor directly invoke audwrite(2) to generate self-audit records. Instead, these privileged programs invoke a library routine that generates a self-auditing event on its behalf. For example, telnetd(1M) is a privileged program that invokes the pam_hpsec(5) PAM module for authenticating users. The hpsec PAM module invokes the audwrite(2) system call to generate successful and failed login self-audit events on behalf of telnetd. In addition, a logoff self-auditing event is generated on telnetd’s behalf by a DLKM.

The following self-auditing programs invoke the hpsec PAM module for authenticating users:

telnetd(1M), rlogind(1M), sshd(1M), remshd(1M), rexecd(1M), su(1), ftpd(1M)

(login,ipcopen)

login event: Service=telnetloginsshftp User=login_user Status=Successful (login)

login event: Service=shellexec User=login_user Status=Successful Command="command & args" RemoteUser=remote_user

login event: Service=telnetloginsshftp> User=login_user Status=Failed ("Authentication failed") (login)

login event: Service=su User=target_user Status=Failed("Authentication failed")

login event: Service=ftp User=login_user Status=Failed

login event: Service=telnetlogin User=login_user Status=Failed ("No account present for user") (login)

login event: Service=shellexec User=login_user Status=Failed("Access denied by ruserok.") Command="command & args" RemoteUser=remote_user

Networking service

=

telnetrloginrexecshell

Request outcome

=

successfailure

Validation tool

=

unspecifiedpasswd

Service event

=

start_of_serviceunspecified

Remote system

=

ip address

Remote user

=

usernameunspecified

Local

system

=

ip address

Local

user

=

usernameuidunspecified

Login successful. User = username

Access denied by ruserok

exec “login –p–hremotehost login_user

Executing login pid = pid.” (ipcopen)

Networking service = ftp

Request outcome

= successfailure

Validation tool

= unspecifiedpasswd

Service event

= start_of_serviceunspecified

Remote system

= ip address

Remote user

= usernameunspecified

Local

system

= ip address

Local

user

= usernameuidunspecified

Login successful. User = username Repeated login failures.

Failed login attempt - shell not in /etc/shells. Failed login attempt - name in /etc/ftpd/ftphosts. Failed login attempt - Anonymous FTP access denied. Failed login attempt - guest login not permitted. Failed login attempt - access denied for user. Failed login attempt - user unknown.

Failed login attempt - user access denied.

Failed login attempt - Kerberos authentication must succeed.

12

Page 11 Page 13
Page 12
Image 12
HP UX Auditing System Extensions Audit unaware, Remote user Usernameunspecified Local System, Networking service = ftp
Page 11 Page 13
Top Page Image Contents