The inetd daemon honors the AUDIT_FLAG only for the user under whom the service is run when inetd is started with the –aoption. Self-audit login and logoff events are generated regardless of the inetd –aoption and whether the user is enabled or disabled for auditing. Most inetd services run as user root and disabling auditing for root is not recommended, as this results in no system call auditing of users logged in as root.

After upgrading AuditExt, starting Audit with audsys –nreturns the failed to match audit trail version; specify different audit trail error.

The version of the audit trail for the upgraded product is newer than the previously installed product. You must disable auditing (audsys –f) before upgrading the AudReport product. To proceed after receiving this error, disable auditing and then enable it to start creating an audit trail with the latest version. The new version can include more audit data for each event, for example, the IP address of the origin of the event, the command name of the event, and the audit session ID.

Note:

Both audisp and auditdp are capable of handling both versions of the audit trails. Therefore, you do not need to know about the internal format of raw audit data.

If a system crash or reboot with the reboot -ncommand occurs when the audit trail is being written, the audit trail might be corrupted.

Remove the corrupted audit trail and start the audit subsystem.

23

Page 23
Image 23
HP UX Auditing System Extensions manual