The root user runs su – non_root_user, where the target non-root user is being audited. When the root user switches to another user, the Pluggable Authentication Module (PAM) is not invoked; no authentication is done when running as root. Therefore, audit records are not generated as being triggered by the non-root target user, but are instead attributable to the root user.

Configuring events for audit

Use the audevent(1M) command to specify system activities (auditable events) that you want to audit. Auditable events are classified into event categories and profiles for easier configuration. After an event category or a profile is selected, all system calls and self-auditing events associated with that event category or profile are selected. When the auditing system is installed, a default set of event classification information is provided in /etc/audit/audit.conf file. In order to meet site-specific requirements, you can also define event categories and profiles in /etc/audit/audit_site.conf. For more information, see audit.conf(4) and audevent(1M).

On HP-UX 11i v3, the AudFilter product enables you to audit events not audited according to audevent(1M) by specifying a filtering rule that contains the !audited_event directive.

Configuring audit filtering

To configure and load audit filtering, follow these steps:

1.Customize the filtering rules in /etc/audit/filter.conf. The filter.conf file contains the rule-based audit filtering policy that the auditing subsystem uses to determine what activities to audit on the system. For more information, see filter.conf(4).

2.Start the filter daemon as follows:

# audfilterd –s

The audfilterd service daemon handles service requests from the audfilter(1M) configuration tool, and reevaluates and reloads the filtering policy whenever the mounted file system table changes. For more information, see audfilterd(1M).

3.Load the filtering rules as follows:

# audfilter –c

The audfilter configuration tool interprets the filtering policy as specified in the filter.conf configuration file and implements the policy. Use audfilter to display or clear out the filtering policy currently in effect.

Configuring audit settings to be preserved across reboots

To preserve audit settings across reboots, edit the /etc/rc.config.d/auditing file and make the following changes as needed:

AUDITING flag –- Set to 1 to enable the auditing system at system startup.

Primary and secondary log files

PRI_AUDFILE – Absolute pathname of the audit trail where audit records begin to be logged.

PRI_SWITCH – Switch size (maximum size in kilobytes) for the primary audit trail

SEC_AUDFILE – The trail to which the audit system switches when the primary reaches switch size.

SEC_SWITCH – Switch size (maximum size in kilobytes) for the secondary audit trail

Number of log files in an audit trail

16

Page 16
Image 16
HP UX Auditing System Extensions manual Configuring events for audit, Configuring audit filtering