HP UX Auditing System Extensions Troubleshooting, Audit log configuration, security, and protection

–Audit Trail Reports (auditdp) in HP-UX 11i v3. In addition, you can use the following tools in

/opt/audit/AudReport/bin:

audit_p2l — This sample script demonstrates how to convert audit data in portable format (see audit_hpux_portable(5)) to message lines similar to syslog. The script takes no options or arguments. It reads portable audit data from stdin and outputs the message lines to stdout. For example, in order to convert HP-UX raw audit data to messages in follow mode and store the results in /var/adm/auditlog, issue the following command line:

$ auditdp -r <raw_audit_log> -P -o follow -O sync \ audit_p2l > /var/adm/auditlog &

auditreport_generator — This sample script demonstrates how to use the auditdp command (see auditdp(1M)) to generate a collection of web-based audit reports, for example, login history data, logoff history data, su history data, root account activities report, and file access report.

auditreport_setup_web — This sample script sets up the Apache server properly to bring up the generated audit reports in a web browser. It includes setting up the password that is required to access the audit reports through web; setting up the http alias; and restarting or bringing up the Apache server.

Audit log configuration, security, and protection

Ensuring the confidentiality, integrity, and availability of logs is very important. As you plan for this, remember the following:

•Logging mechanisms must neither be deactivated nor compromised to provide business continuity of logging services in the event of an incident.

•Ensure that log files cannot be edited or deleted. Generally only administrators and auditors must have access to log files for review and management only. All privileged user (the administrator and auditor) access must be logged and reviewed thoroughly and frequently by others outside that user domain.

•Communications must be protected with mechanisms such as encryption (for example, HP-UX IPSec and SSL).

•Protect the confidentiality and integrity of log files using either message digests or encryption or digital signatures.

•Provide adequate physical protection for logging mechanisms and stored logs by preventing unauthorized physical access.

Troubleshooting

This section describes potential problems and their solutions. To stay current with product updates and patches, monitor the HP security software news and events web site at www.hp.com/security.

•Self-audit login events are being generated for users even though they are disabled for auditing.

When a user remotely logs in using telnet, ssh, and remsh, user authentication is performed by the pam_hpsec(5) PAM module. The module always generates self-audit login events, regardless of whether auditing for a user is enabled (AUDIT_FLAG=1) or disabled (AUDIT_FLAG=0).

Likewise, logoff events are generated by a DLKM when the user logs off.

•System call level events are being generated for daemons spawned by inetd (for example, telnetd(1M) and remshd(1M)) even though auditing is disabled for user root.

22