HP-UX Reference (11i v2 07/12) - 5 Miscellaneous (vol 9)
a
audit(5) audit(5)
NAME
audit - introduction to HP-UX Auditing System
SYNOPSIS
#include <sys/audit.h>
DESCRIPTION
The purpose of the auditing system is to record instances of access by subjects to objects and to allow detec-
tion of any (repeated) attempts to bypass the protection mechanism and any misuses of privileges, thus act-
ing as a deterrent against system abuses and exposing potential security weaknesses in the system. When
the TrustedMigration product is installed, HP-UX Auditing System also works without converting system
to trusted mode.
User and Event Selection
The auditing system provides administrators with a mechanism to select users and activities to be audited.
On a system that has been converted to trusted mode, users are assigned unique identifiers called audit
ids by the administrator which remain unchanged throughout a user’s history. The
audusr command is
used to specify those users who are to be audited.
On a system that has not been converted to trusted mode, if the TrustedMigration product is installed, each
login session is assigned a unique identifier called audit tag. The audit tag is a string representing infor-
mation such as user name and login time. It can uniquely identify each login session and the person
responsible for the session. See also setauduser(3) and getauduser(3). The
userdbset command is used
to specify those users who are to be audited. See userdbset(1M) and userdb(4). The associated attribute is
called
AUDIT_FLAG and is described in security(4).
The audevent command is used to specify system activities (auditable events) that are to be audited.
Auditable events are classified into several categories. An event category consists of a set of operations that
affect a particular aspect of the system. For an event category list, see audevent(1M).
Self-auditing Programs
To reduce the amount of log data and to provide a higher-level recording of some typical system operations,
a collection of privileged programs are given capabilities to perform self-auditing. This means that the pro-
grams can suspend the currently specified auditing on themselves and produce a high-level description of
the operations they perform. These self-auditing programs are described in the following manpages: at(1),
chfn(1), chsh(1), crontab(1), login(1), newgrp(1), passwd(1), audevent(1M), audisp(1M), audsys(1M),
audusr(1M), cron(1M), groupadd(1M), groupdel(1M), groupmod(1M), init(1M), lpsched(1M), sam(1M),
useradd(1M), userdel(1M), and usermod(1M).
Note: Only privileged programs are allowed to do self-auditing. The audit suspension they perform
only affects these programs and does not affect any other processes on the system.
Most of these commands generate audit data under a single event category. For example,
SAM generates
the audit data under the event admin. Other commands may generate data under multiple event
categories. For example, the
init command generates data under the events login and admin.
Viewing of Audited Data
The
audisp command is used to view audited data recorded in log files. The audisp command merges
the log files into a single audit trail in chronological sequence. The administrator can select viewing criteria
provided by the audisp command to limit the search to particular kinds of events which the administra-
tor is interested in investigating.
Monitoring the Auditing System
To ensure that the auditing system operates normally and that any abnormal behaviors are detected, a
privileged daemon program, audomon, runs in the background to monitor various auditing system
parameters. When these parameters take on abnormal (dangerous) values, or when components of the
auditing system are accidentally removed, audomon prints warning messages and tries to resolve the
problem if possible.
Starting and Halting the Auditing System
The administrator can use the audsys command to start or halt the auditing system, or to get a brief
summary of the status of the audit system. Prior to starting the auditing system, audsys also validates
the parameters specified, and ensures that the auditing system is in a safe and consistent state.
HP-UX 11i Version 2: December 2007 Update − 1 − Hewlett-Packard Company 79