- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Reg: Audit the destructive commands in HPUX and an...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-04-2012 11:24 PM
09-04-2012 11:24 PM
Reg: Audit the destructive commands in HPUX and any easy way to view huge audit log files
Hello Team,
Pls find the below config file. and suggest what are important syscall to monitor and also to enable destructive commands like rm , vi and etc... Is there any easy way to check the audit logs without going through audisp or redirectinghuge file to text file and reading it.
:root>grep -v ^# /etc/rc.config.d/auditing
AUDITING=1
PRI_AUDFILE=/auditing/.secure/etc/audtrail
PRI_SWITCH=10240
SEC_AUDFILE=*
SEC_SWITCH=0
AUDEVENT_ARGS1=" -P -F -e create -e delete -e moddac -e modaccess -e open -e close -e process -e removable -e login -e admin -e ipcclose -e uevent1 -e exec -s exit -s fork -s open -s close -s creat -s link -s unlink -s execv -s chdir -s mknod -s chmod -s chown -s lchmod -s mount -s umount -s setuid -s stime -s ptrace -s kill -s setsid -s setpgrp -s setpgrp3 -s pipe -s setgid -s acct -s reboot -s symlink -s utssys -s execve -s umask -s chroot -s ulimit -s vfork -s mmap -s munmap -s setgroups -s setpgid -s setpgrp2 -s swapon -s setpriority -s settimeofday -s fchown -s fchmod -s setresuid -s setresgid -s rename -s truncate -s ftruncate -s mkdir -s rmdir -s setrlimit -s privgrp -s setprivgrp -s rtprio -s plock -s lockf -s semget -s semop -s msgget -s shmget -s shmat -s shmdt -s _set_mem_window -s nsp_init -s setdomainname -s vfsmount -s setacl -s fsetacl -s setaudid -s setaudproc -s setevent -s audswitch -s audctl -s fchdir -s shutdown -s semctl -s msgctl -s shmctl -s mpctl -s exportfs -s putpmsg -s adjtime -s fdetach -s serialize -s lchown -s sched_setparam -s sched_setscheduler -s clock_settime -s toolbox -s ftruncate64 -s lockf64 -s mmap64 -s setrlimit64 -s truncate64 -s setcontext -s setregid -s mlock -s munlock -s mlockall -s munlockall -s shm_open -s shm_unlink -s sigqueue -s mq_open -s mq_close -s mq_unlink -s ksem_open -s ksem_unlink -s ksem_close -s ttrace -s ptrace64 -s sendfile -s sendfile64 -s modload -s moduload -s modpath -s getksym -s modadm -s modstat -s spuctl -s acl -s __cnx_p2p_ctl -s __cnx_gsched_ctl -s mem_res_grp -s settune -s pset_create -s pset_destroy -s pset_assign -s pset_bind -s pset_setattr -s t64migration -s semtimedop -s audtag -s procxsec -s filexsec -s secrules -s umount2"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDEVENT_ARGS4=" -p -f -s accept -s access -s bind -s connect -s fattach -s fstat -s fstat64 -s getaccess -s lstat -s lstat64 -s socket -s socket2 -s socketpair -s socketpair2 -s stat -s stat64"
AUDOMON_ARGS="-p 20 -t 1 -w 90"
I also cannot see commands in audit logs !!!
################## Log Details #########################
120905 09:22:04 23799 S 71 13162 73 0 3 0 3 pts/1 [ Effective privileges: "BASIC" ] [ Permitted privileges: "BASIC" ] [ Retained privileges: "BASIC" ] [ Event=mmap; User=uxxxxx; Real Grp=sys; Eff.Grp=sys; ]
RETURN_VALUE 1 = 1878843392; PARAM #2 (int) = 8192 PARAM #4 (int) = 18 PARAM #5 (file desc) = 0x00000000 (idev); 0 (inum) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 120905 09:22:04 23799 S 6 13162 73 0 3 0 3 pts/1 [ Effective privileges: "BASIC" ] [ Permitted privileges: "BASIC" ] [ Retained privileges: "BASIC" ] [ Event=close; User=uxxxxx; Real Grp=sys; Eff.Grp=sys; ]
RETURN_VALUE 1 = 0; PARAM #1 (int) = 3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 120905 09:22:04 23799 S 71 13162 73 0 3 0 3 pts/1 [ Effective privileges: "BASIC" ] [ Permitted privileges: "BASIC" ] [ Retained privileges: "BASIC" ] [ Event=mmap; User=uxxxxx; Real Grp=sys; Eff.Grp=sys; ]
RETURN_VALUE 1 = 1878736896; PARAM #2 (int) = 16384 PARAM #4 (int) = 18 PARAM #5 (file desc) = 0x00000000 (idev); 0 (inum) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 120905 09:22:04 23799 S 71 13162 73 0 3 0 3 pts/1 [ Effective privileges: "BASIC" ] [ Permitted privileges: "BASIC" ] [ Retained privileges: "BASIC" ] [ Event=mmap; User=ux1xxxxx; Real Grp=sys; Eff.Grp=sys; ]
RETURN_VALUE 1 = 1878839296; PARAM #2 (int) = 160 PARAM #4 (int) = 18 PARAM #5 (file desc) = 0x00000000 (idev); 0 (inum) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 120905 09:22:04 23799 F 5 13162 73 0 3 0 3 pts/1 [ Effective privileges: "BASIC" ] [ Permitted privileges: "BASIC" ] [ Retained privileges: "BASIC" ] [ Event=open; User=uxxxxxx; Real Grp=sys; Eff.Grp=sys; ]
ERRNO = 2; RETURN_VALUE 1 = -1; PARAM #1 (file path) = 0 (cnode); 0x00000000 (dev); 0 (inode); (path) = /usr/lib/nls/msg//audisp.cat PARAM #2 (int) = 0 PARAM #3 (int) = 39608 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 120905 09:22:04 23799 F 5 13162 73 0 3 0 3 pts/1 [ Effective privileges: "BASIC" ] [ Permitted privileges: "BASIC" ] [ Retained privileges: "BASIC" ] [ Event=open; User=uxxxxxx; Real Grp=sys; Eff.Grp=sys; ]
ERRNO = 2; RETURN_VALUE 1 = -1; PARAM #1 (file path) = 0 (cnode); 0x00000000 (dev); 0 (inode); (path) = /usr/lib/nls////audisp.cat PARAM #2 (int) = 0 PARAM #3 (int) = 39608 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
##################################################################################
Regards
- Tags:
- auditing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-09-2012 02:16 AM
09-09-2012 02:16 AM
Re: Reg: Audit the destructive commands in HPUX and any easy way to view huge audit log files
Hello Team,
Any update or any expert view ....
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-01-2012 10:06 PM
10-01-2012 10:06 PM
Re: Reg: Audit the destructive commands in HPUX and any easy way to view huge audit log files
Any update .....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2012 05:35 AM
10-02-2012 05:35 AM
Re: Reg: Audit the destructive commands in HPUX and any easy way to view huge audit log files
That's a very extensive auditing configuration. If you plan to run this all the time for all your users, you will probably need some automated way to post-process the audit logs to get anything meaningful out of the logs efficiently.
Personally, I'd say that running such an audit configuration in a modern multi-user production system is very likely hopeless without some serious post-processing of the logs: with that configuration, even the regular operation of your applications is going to generate a lot of audit logs.
For example, HP has a free application "HP HIDS" that can do some of the work for you: it includes some pre-designed monitoring templates for making sense of the HP-UX audit logs, but you must still tailor it for your use.
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUX-HIDS
For HP-UX 11.31, there are also some other audit filtering & reporting tools that may be helpful:
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=AuditExt
If you want to look for the execution of commands, you should remember that shells usually implement some commands internally and find the rest as executable files using the PATH environment variable.
For the non-internal commands, the exec() family of syscalls is the important one. The parameters of the exec() system call should include the command being executed and its arguments.
But for internal commands, exec() will not be used: instead, the shell will make the appropriate system call directly. For example, the kill command is usually implemented as an internal command in shells. So the shell will not execute /usr/bin/kill, but instead will execute the kill() system call directly. To catch that in audit logs, you must monitor the kill syscall.