Manualshelf

White Paper

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
11121314151617181920
15
HP-UX Auditing System Extensions (HP-UX 11i v3)
The auditing system is installed as part of the base HP-UX 11i v3 distribution. However, Auditing
System Extensions bundle must be installed to make use of the AudReport and AudFilter product
features.
Both products are available on software.hp.com and have Release Notes on the Business Support
Center that contain details about product compatibility, installation requirements, patch requirements,
and installation instructions.
Configuration
This section describes guidelines and steps for configuring users for audit, configuring events for
audit, and roles.
Configuring users for audit
Users are audited depending on the value of either the system wide AUDIT_FLAG security attribute or
the per-user AUDIT_FLAG security attribute. The AUDIT_FLAG security attribute is described in
security(4). A user is audited if either of the following conditions is true:
The user AUDIT_FLAG is set to 1.
The system wide AUDIT_FLAG is set to 1.
To set the system wide and per-user AUDIT_FLAG values, use either of the following methods:
userdbset command. See userdbset(1M) and userdb(4).
HP-UX Security Attributes Configuration tool. See secweb(1M).
The audit user selection policy is based on the AUDIT_FLAG setting for the user responsible for the
event. The responsible user is traced back to the original login user, not to the user corresponding to
the real or effective user at the moment an event happens. For example, a user logins as user “Joe”
and then either executes a setuid program to run as user “Ben” or issues the su command to the
target user “Ben.” All events that occur while “Joe” is running as “Ben” are attributable to the original
login user “Joe” and are audited depending on the AUDIT_FLAG security attribute for login user
“Joe,” not on the AUDIT_FLAG security attribute for user “Ben.” For su(1), you can modify this user
selection policy to audit based on the target user (see description of the bypass_setaud flag in
pam_hpsec(5)), if su(1) requires the source user to be authenticated and the authentication is
successful. Because root does not need to authenticate when invoking su(1), users logged in as root
are always audited as user root, regardless of the bypass_setaud flag setting for su(1).
If a user is not selected for auditing, audit records associated with the user are generated in the
following cases:
At the time user starts a session and ends a login session. Those events are considered system
events more than user events and are therefore generated based on whether the login event is
being audited rather than whether the user is being audited.
By programs that do self-auditing and make arbitrary decisions to ignore the user selection.
If Audit Filtering (11i v3 only) is configured to generate audit records for those users who are not
selected for auditing using the !audited_process flag. See filter.conf(4).
System call auditing of inetd spawned daemons if inetd is not started with the –a option.
If a user is selected for auditing, audit records associated with the user are not generated in the
following case: