About HP DCE/9000 Version 1.7

Notes, Cautions and Warnings Regarding This Release

HP-UX Integrated Login Utilities

Most systems will require the transfer of account information from /etc/passwd to the DCE Security Registry before the system will be useful.

The script /usr/sbin/auth.adm is supplied to activate the integrated login utilities once your system has been set up with the needed accounts. See Chapter 6 for more information about using the /usr/sbin/auth.adm script.

Do not use the auth.adm script to activate the HP-UX Integrated login utilities until after you have set up the accounts necessary for your site in the DCE security service registry.

The DCE Audit Service

The DCE Audit Service was first released with HP DCE 1.4.x; the DCE Audit Service provides auditing capabilities for DCE Security and Time services.

By default, all audit events are disabled (not logged). As part of the default DCE configuration start-up, the DCEAUDITFILTERON environment variable is set. When set, the DCEAUDITFILTERON environment variable specifies that audit event filtering must be utilized to enable logging the desired set of audit events.

To enable auditing, the auditd server process must be started on any system where auditing is desired. As part of the standard DCE configuration start-up for auditd, a set of audit filters is specified for the Security, DTS and auditd server processes. (You can modify these filters as necessary for your site.).

You will need to do some planning to determine the degree of audit proper for your site, and to allow for disk space overhead for your audit logs. If you want to do some auditing, such as logging and tracking modifications to the security registry database, audit filtering is highly recommended. By using audit filtering, it is possible to change the types of events being audited dynamically, without needing to restart the servers for the changes to take effect.

1-18

Planning and Configuring HP DCE 1.7