Manualshelf

White Paper

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
11121314151617181920
13
Failed login attempt - login incorrect. |
Failed login attempt - anonymous password not rfc822. (ipcopen)
The login event for the Service=su self-audit event is only generated when the pam.conf entry
for su does not have the bypass_setaud flag set and when source user is not root. See
pam_hpsec(5).
Dynamically Linked Kernel Modules
DLKMs can generate the following self-audit records:
Command command tried to execute code from stack
Command command has core dumped
logoff event: Service=telnet|login|ssh|shell|exec User=login_user (login)
Generated only when AudReport product is installed.
logoff event SID session_id PGRP process_group PPID parent_pid PID pid
program (login) Generated only when AudReport product is not installed
Auditing system extensions (HP-UX 11i v3 only)
On HP-UX 11i v3, HP-UX Auditing System Extensions extends the features of the HP-UX Auditing
System by offering the following features and benefits to better facilitate regulatory compliance:
Enhanced audit data (for example, program name and source IP address)
Enhanced filtering capabilities to filter non-relevant data based on customer-specific needs and
improve the quality of the audit trail
Performance improvement by reducing the I/O activities of logging events that are not required to
be logged
Enhanced manageability of the audit log data
Command line interface and a set of open APIs for extracting audit data
Tools to generate web-based audit reports from HP-UX raw audit data
HP-UX Auditing System Extensions provides two major products for enhanced audit record filtering
and reporting.
Audit Filtering
Audit Filtering features are available on HP-UX 11i v3 with the AudFilter product that contains a set of
tools to customize and enforce the audit data pre-filtering policy on the system and the
audit_filters DLKM that makes filtering decisions and enforces the filtering policy in the kernel.
An efficient pre-filtering policy controls the size and quality of the raw data, minimizes the
performance impact of auditing, and reduces the operational cost associated with audit data
management. The AudFilter product consists of the following major components:
The filter.conf configuration file that specifies the rule-based audit record pre-filtering policy
enforced in the kernel. For more information, see filter.conf(4).
The audfilter configuration tool to interpret the filtering policy as specified in the configuration
file, filter.conf, and to implement the policy. You can also use the audfilter tool to display
or clear out the filtering policy currently being enforced in the kernel. For more information, see
audfilter(1M).
The audfilterd service daemon handles service requests from the audfilter tool, and
reevaluates and reloads the filtering policy whenever the mounted file system table changes. For
more information, see audfilterd(1M).