Manualshelf

White Paper

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
17181920212223242526
22
Audit Trail Reports (auditdp) in HP-UX 11i v3. In addition, you can use the following tools in
/opt/audit/AudReport/bin:
audit_p2l — This sample script demonstrates how to convert audit data in portable format (see
audit_hpux_portable(5)) to message lines similar to syslog. The script takes no options or
arguments. It reads portable audit data from stdin and outputs the message lines to stdout.
For example, in order to convert HP-UX raw audit data to messages in follow mode and store the
results in /var/adm/auditlog, issue the following command line:
$ auditdp -r <raw_audit_log> -P -o follow -O sync | \
audit_p2l > /var/adm/auditlog &
auditreport_generator — This sample script demonstrates how to use the auditdp
command (see auditdp(1M)) to generate a collection of web-based audit reports, for example,
login history data, logoff history data, su history data, root account activities report, and file
access report.
auditreport_setup_web — This sample script sets up the Apache server properly to bring up
the generated audit reports in a web browser. It includes setting up the password that is required
to access the audit reports through web; setting up the http alias; and restarting or bringing up
the Apache server.
Audit log configuration, security, and protection
Ensuring the confidentiality, integrity, and availability of logs is very important. As you plan for this,
remember the following:
Logging mechanisms must neither be deactivated nor compromised to provide business continuity of
logging services in the event of an incident.
Ensure that log files cannot be edited or deleted. Generally only administrators and auditors must
have access to log files for review and management only. All privileged user (the administrator and
auditor) access must be logged and reviewed thoroughly and frequently by others outside that user
domain.
Communications must be protected with mechanisms such as encryption (for example, HP-UX IPSec
and SSL).
Protect the confidentiality and integrity of log files using either message digests or encryption or
digital signatures.
Provide adequate physical protection for logging mechanisms and stored logs by preventing
unauthorized physical access.
Troubleshooting
This section describes potential problems and their solutions. To stay current with product updates and
patches, monitor the HP security software news and events web site at www.hp.com/security
.
Self-audit login events are being generated for users even though they are disabled for auditing.
When a user remotely logs in using telnet, ssh, and remsh, user authentication is performed by
the pam_hpsec(5) PAM module. The module always generates self-audit login events, regardless
of whether auditing for a user is enabled (AUDIT_FLAG=1) or disabled (AUDIT_FLAG=0).
Likewise, logoff events are generated by a DLKM when the user logs off.
System call level events are being generated for daemons spawned by inetd (for example,
telnetd(1M) and remshd(1M)) even though auditing is disabled for user root.