Managing Systems and Workgroups: A Guide for HP-UX System Administrators
Administering a System: Managing System Security
Auditing a Trusted System
Chapter 8 799
The audit data shows what the user program passed to the kernel. In
this case, what got passed is not initialized due to a user code error,
but the audit system still correctly displays the uninitialized values
that were used.
• System calls that take file name arguments may not have device and
inode information properly recorded. The values will be zero if the
call does not complete successfully.
• Auditing the superuser while using the SAM interface to change
event or system call parameters will result in a long audit record. For
example, when you add an event type to be audited in SAM, a record
will be produced for each event type and system call that has been
enabled for audit, not just for the new event type being added.
Guidelines for Administering Your Auditing System
We recommend that you use the following guidelines when
administering your system:
1. Check the audit logs once a day at a minimum. An online audit file
should be retained for at least 24 hours and all audit records stored
off-line should be retained for a minimum of 30 days.
2. Review the audit log for unusual activities, such as: late hours login,
login failures, failed access to system files, and failed attempts to
perform security-relevant tasks.
3. Prevent the overflow of the audit file by archiving daily.
4. Revise current selectable events periodically, especially after
installing new releases of HP-UX, since new system calls are often
introduced in new releases.
5. Revise audited users periodically.
6. Do not follow any pattern or schedule for event or user selection.
7. Set site guidelines. Involve users and management in determining
these guidelines.
Performance Considerations
Auditing increases system overhead. When performance is a concern, be
selective about what events and users are audited. This can help reduce
the impact of auditing on performance.