Managing Systems and Workgroups: A Guide for HP-UX System Administrators
Administering a System: Managing System Security
Auditing a Trusted System
Chapter 8792
Auditing a Trusted System
An HP-UX Trusted System provides auditing. Auditing is the selective
recording of events for analysis and detection of security breaches.
Using SAM to perform all auditing tasks is recommended as it focuses
choices and helps avoid mistakes. However, all auditing tasks can be
done manually using the following audit commands:
audsys Starts/stops auditing; sets and displays audit file
information. See audsys (1M).
audusr Selects users to be audited. See audusr (1M).
audevent Changes or displays event or system call status. See
audevent (1M).
audomon Sets the audit file monitoring and size parameters. See
audomon (1M).
audisp Displays the audit record. See audisp (1M).
The HP-UX Reference provides more details on these commands.
The system supplies default auditing parameters at installation. Some of
these defaults are activated automatically, some have to be enabled.
If auditing is currently turned off, it will be turned on when your changes
are activated. Changes to audit will be retained as new defaults at
system reboot.
• By default, when system auditing is on, the audit status for all users
is on. New users added to the system are automatically audited. You
must explicitly turn audit off for these users, if desired. Changes
take effect at the user’s next login.
• The event types admin, login, and moddac are selected as defaults
by the system. Both Audit Success and Audit Failure are on. This
is the minimum event type selection recommended for running a
Trusted System. Event types are listed in Table 8-3, “Audit Event
Types and System Calls,” on page 794 and Table 8-4, “Audit Event
Types and System Commands,” on page 796.