Manualshelf

White Paper

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
11121314151617181920
12
Audit unaware
Some self-auditing programs do not invoke the audswitch(2) system call to suspend system call
auditing on themselves, nor directly invoke audwrite(2) to generate self-audit records. Instead,
these privileged programs invoke a library routine that generates a self-auditing event on its behalf.
For example, telnetd(1M) is a privileged program that invokes the pam_hpsec(5) PAM module
for authenticating users. The hpsec PAM module invokes the audwrite(2) system call to generate
successful and failed login self-audit events on behalf of telnetd. In addition, a logoff self-auditing
event is generated on telnetd’s behalf by a DLKM.
The following self-auditing programs invoke the hpsec PAM module for authenticating users:
telnetd(1M), rlogind(1M), sshd(1M), remshd(1M), rexecd(1M), su(1), ftpd(1M)
(login,ipcopen)
login event: Service=telnet|login|ssh|ftp User=login_user
Status=Successful (login)
login event: Service=shell|exec User=login_user Status=Successful
Command="command & args" RemoteUser=remote_user
login event: Service=telnet|login|ssh|ftp> User=login_user Status=Failed
("Authentication failed") (login)
login event: Service=su User=target_user Status=Failed("Authentication
failed")
login event: Service=ftp User=login_user Status=Failed
login event: Service=telnet|login User=login_user Status=Failed ("No
account present for user") (login)
login event: Service=shell|exec User=login_user Status=Failed("Access
denied by ruserok.") Command="command & args" RemoteUser=remote_user
Networking service = telnet|rlogin|rexec|shell
Request outcome = success|failure
Validation tool = unspecified|passwd
Service event = start_of_service|unspecified
Remote system = ip address
Remote user = username|unspecified
Local system = ip address
Local user = username|uid|unspecified
Login successful. User =
username|
Access denied by ruserok|
exec “login –p –h remotehost login_user|
Executing login pid = pid.” (ipcopen)
Networking service = ftp
Request outcome = success|failure
Validation tool = unspecified|passwd
Service event = start_of_service|unspecified
Remote system = ip address
Remote user = username|unspecified
Local system = ip address
Local user = username|uid|unspecified
Login successful. User = username |
Repeated login failures. |
Failed login attempt - shell not in /etc/shells. |
Failed login attempt - name in /etc/ftpd/ftphosts. |
Failed login attempt - Anonymous FTP access denied. |
Failed login attempt - guest login not permitted. |
Failed login attempt - access denied for user. |
Failed login attempt - user unknown. |
Failed login attempt - user access denied. |
Failed login attempt - Kerberos authentication must succeed. |