audit.5 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

audit(5) audit(5)

NAME

audit - introduction to HP-UX Auditing System

DESCRIPTION

The purpose of the auditing system is to record instances of access by subjects to objects and to allow

detection of any (repeated) attempts to bypass the protection mechanism and any misuses of privileges,

thus acting as a deterrent against system abuses and exposing potential security weaknesses in the sys-

tem.

User and Event Selection

The auditing system provides administrators with a mechanism to select users and activities to be

audited.

On a system that has been converted to trusted mode, users are assigned unique identiﬁers called audit

IDs by the administrator, which remain unchanged throughout a user’s history. See WARNINGS about

trusted mode. The

audusr command is used to specify those users who are to be audited.

On a system that has not been converted to trusted mode, each login session is assigned a unique

identiﬁer called audit tag. The audit tag is a string representing information such as user name and

also setauduser (3) and getauduser (3). The

userdbset

command is used to specify those users who are

to be audited. See userdbset (1M) and userdb (4). The associated attribute is called

AUDIT_FLAG and is

described in security (4).

The

audevent command is used to specify system activities (auditable events) that are to be audited.

Auditable events are classiﬁed into event categories and proﬁles for easier conﬁguration. Once an event

category or a proﬁle is selected, all system calls and self-auditing events associated with that event

category or proﬁle are selected. When the auditing system is installed, a default set of event classiﬁcation

information is provided in ﬁle /etc/audit/audit.conf

. In order to meet site-speciﬁc requirements,

administrators may also deﬁne event categories and proﬁles in

/etc/audit/audit_site.conf

. See

audit.conf (4) and audevent (1M) for more information.

Note that even if an user is not selected for auditing, it is expected that some records may still be gen-

erated at the time user starts a session and ends a session. Those are considered as system-wise informa-

tion that are more in favor of event selection than the user selection. Other programs that do self-

auditing may also make arbitrary decision to ignore the user selection though it is not recommended.

More information about self-auditing programs can be found later.

Starting and Halting the Auditing System

The administrator can use the

audsys command to start or halt the auditing system, or to get a brief

summary of the status of the audit system. Prior to starting the auditing system,

audsys also validates

the parameters speciﬁed, and ensures that the auditing system is in a safe and consistent state. See

audsys (1M) for more information.

Monitoring the Auditing System

To ensure that the auditing system operates normally and to detect abnormal behaviors, a privileged dae-

mon program,

audomon, runs in the background to monitor various auditing system parameters. When

these parameters take on abnormal (dangerous) values, or when components of the auditing system are

accidentally removed, audomon prints warning messages and tries to resolve the problem if possible.

See audomon (1M) for more information. audomon can be spawned by /sbin/init.d/auditing (as

part of the

init start-up process) when the system is booted up if the parameter AUDITING is set to 1

in ﬁle /etc/rc.config.d/auditing. It can also be started any time by a privileged user.

Viewing of Audited Data

The

audisp command is used to view audited data recorded in log ﬁles. The audisp command merges

the log ﬁles into a single audit trail in chronological sequence. The administrator can select viewing cri-

teria provided by the audisp command to limit the search to particular kinds of events which the

administrator is interested in investigating.

Audit Trails

At any time when the auditing system is enabled, at least an audit trail must be present. The trail name

and various attributes for the trail can be speciﬁed using

audsys. When the current trail exceeds the

speciﬁed size, or when the auditing ﬁle system is dangerously full, the system automatically switches to

another trail with the same base name but a different timestamp extension and begin recording to it. A

script can be speciﬁed using audomon to perform various operations on the last audit trail after each

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (2 pages)

PAGE 1
audit(5) audit(5) NAME audit - introduction to HP-UX Auditing System DESCRIPTION The purpose of the auditing system is to record instances of access by subjects to objects and to allow detection of any (repeated) attempts to bypass the protection mechanism and any misuses of privileges, thus acting as a deterrent against system abuses and exposing potential security weaknesses in the system.
PAGE 2
audit(5) audit(5) successful switch. If trail switch is unsuccessful, warning messages are sent to request appropriate administrator action. A Self-auditing Programs To reduce the amount of log data and to provide a higher-level recording of some typical system operations, a collection of privileged programs are given capabilities to perform self-auditing.