HP UX Auditing System Extensions Auditing system extensions (HP-UX11i v3 only)

Failed login attempt - login incorrect.

Failed login attempt - anonymous password not rfc822. (ipcopen)

The login event for the Service=su self-audit event is only generated when the pam.conf entry for su does not have the bypass_setaud flag set and when source user is not root. See

pam_hpsec(5).

Dynamically Linked Kernel Modules

DLKMs can generate the following self-audit records:

•Command command tried to execute code from stack

•Command command has core dumped

•logoff event: Service=telnetloginsshshellexec User=login_user (login) Generated only when AudReport product is installed.

•logoff event SID session_id PGRP process_group PPID parent_pid PID pid program (login) Generated only when AudReport product is not installed

Auditing system extensions (HP-UX 11i v3 only)

On HP-UX 11i v3, HP-UX Auditing System Extensions extends the features of the HP-UX Auditing System by offering the following features and benefits to better facilitate regulatory compliance:

•Enhanced audit data (for example, program name and source IP address)

•Enhanced filtering capabilities to filter non-relevant data based on customer-specific needs and improve the quality of the audit trail

•Performance improvement by reducing the I/O activities of logging events that are not required to be logged

•Enhanced manageability of the audit log data

•Command line interface and a set of open APIs for extracting audit data

•Tools to generate web-based audit reports from HP-UX raw audit data

HP-UX Auditing System Extensions provides two major products for enhanced audit record filtering and reporting.

Audit Filtering

Audit Filtering features are available on HP-UX 11i v3 with the AudFilter product that contains a set of tools to customize and enforce the audit data pre-filtering policy on the system and the audit_filters DLKM that makes filtering decisions and enforces the filtering policy in the kernel. An efficient pre-filtering policy controls the size and quality of the raw data, minimizes the performance impact of auditing, and reduces the operational cost associated with audit data management. The AudFilter product consists of the following major components:

•The filter.conf configuration file that specifies the rule-based audit record pre-filtering policy enforced in the kernel. For more information, see filter.conf(4).

•The audfilter configuration tool to interpret the filtering policy as specified in the configuration file, filter.conf, and to implement the policy. You can also use the audfilter tool to display or clear out the filtering policy currently being enforced in the kernel. For more information, see audfilter(1M).

•The audfilterd service daemon handles service requests from the audfilter tool, and reevaluates and reloads the filtering policy whenever the mounted file system table changes. For more information, see audfilterd(1M).

13