HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Role-based Access Control (RBAC) Software

1. Deselect auditing for all users by setting the AUDIT_FLAG=0 in the

/etc/default/security file.

2. Configure auditing for a specific user using the following command

# /usr/sbin/userdbset -u user-name AUDIT_FLAG=1.

If the audit system is not already enabled, use the audsys -n command to start the auditing

system. Auditing changes take effect at the user's next login.

Auditing Events

An event is an action with security implications, such as creating a file, opening a file, or logging

in to the system. You can audit events on an HP-UX system to enhance security by detecting

possible breaches. However, the more events you choose to audit, the more system resources

are used and the greater the impact on system performance. Your security architect must

determine which events to audit based on your business needs and any applicable government

regulations.

NOTE: HP recommends that you audit the following three events at a minimum:

• admin

• login

• modaccess

Configure the events you want to audit before you turn on the auditing system. When an event

type is selected, its associated system calls are automatically enabled. To configure events for

auditing, use the audevent command. The syntax for the audevent command is as follows:

# audevent [options]

The following options are commonly used with the audevent command:

Table 6-7 audevent command options

Descriptionaudevent options

Logs successful event operations

-P

Logs unsuccessful event operations

-F

Specifies an event to log

-e [event]

Displays a complete list of event types and associated system calls

-l

Change event or system call audit status

-S or -s

display the current status of the selected events or system callsno option

For example, to configure admin, login, and modaccess for auditing, enter the following

command:

# audevent -P -F -e admin -e login -e moddac

Both Audit Success and Audit Failure are set as event types for monitoring successful

and failed events or system calls. This is the minimum event type selection recommended for

running a system.

A record is written when an event type is selected for auditing, and the user initiating the event

has been selected for auditing. The login event is an exception. Once selected, the login event

will be recorded whether or not the user logging in has been selected for auditing.

Streamlining Audit Log Data

Some processes invoke a series of actions that can be audited. To reduce the amount of audit log

data collected and to provide for more meaningful notations in the audit log files, some of these

78 Standard Mode Security Extensions