- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- User Creation,Deletion,Modification auditing 11iv3
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-12-2014 09:29 PM
11-12-2014 09:29 PM
User Creation,Deletion,Modification auditing 11iv3
Hi ,
I have managed to start auditing in hpux 11iv3 for User Creation,Deletion,Modification through following steps :
1. Create a new rule in /etc/audit/audit.conf. This is a regular text file and can be edited with 'vi'. Create a new line like the one below:
EVENT admin2= SELFAUD_EVENT admin
This category will just record audit events from programs that are self-auditing at the admin level.
2. Edit the /etc/rc.config.d/auditing file so it looks like the following:
AUDITING=1
PRI_AUDFILE=/var/.audit/audfile1
PRI_SWITCH=1000
SEC_AUDFILE=/var/.audit/audfile2
SEC_SWITCH=1000
AUDEVENT_ARGS1="-P -F -e admin2"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDEVENT_ARGS4=""
AUDOMON_ARGS=" -p 20 -t 1 -w 90"
The location of the audit files can be changed to whatever is required. With the limited set of actions being audited I would not expect the audit files to grow very fast.
An explanation of the arguments used for the AUDEVENT_ARGS and AUDOMON_ARGS are at the end of this document.
3. Start auditing by doing:
/sbin/init.d/auditing start
4. Once auditing is running you can display the audit data with the 'audisp' command.
To create a viewable file of the audited info:
audisp /var/.audit/audfile1 > auditfile.txt
- See more at: http://www.sourcedirect.com/blog/auditing-hp-ux-user-creation-deletion-and-modification#sthash.LJw2hDFf.dpuf
audisp /var/.audit/audfile1 > auditfile.txt
The problem is in logs , am not bale to identify IP/user-id from which the changes are done ..for ex below
Event: admin
Time: Tue Nov 11 15:09:49 14 IST
PID: 5966
PPID: 27261
User/Grp: 0/3(root/sys)
Groups: 3(sys), 0(root), 1(other), 2(bin), 4(adm), 5(daemon), 6(mail), 7(lp), 20(users)
"auditfile.txt" 667 lines, 23426 characters
SELF-AUDITING TEXT:
User= nlps uid=119 audid=30 Password or password attributes changed successfully
- Tags:
- auditing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-13-2014 05:49 AM
11-13-2014 05:49 AM
Re: User Creation,Deletion,Modification auditing 11iv3
Auditing is reporting on the actual event but doesn't log the context which made the changes. For instance, the password could have been changed by a cron or similar batch job, or from SAM or SMH, or running passwd command from a remote or local login. You can look at root user logins using the last command (last -R root | more) and try to match the login time with the audit report. But that doesn't work well is root users stay logged in for hours.
A better solution is to not allow any user to login as root and instead, use sudo to issue the command, as in:
$ sudo passwd billh
You'll need to edit the sudoers file to not allow a root shell to be run by sudo.
That way, every root user command will belogged by sudo.
sudo is not installed by default - you can get a copy from:
http://hpux.connect.org.uk/hppd/cgi-bin/search?term=sudo&Search=Search
or
http://www.sudo.ws/sudo/download.html
Note that sudo.ws does not have an 11.31 version prepackaged. Use the connect.org.uk site for that version.
HP does supply sudo as part of the Internet Express bundle but it has become quite difficult to locate as the bundles have been broken up into obtuse package names.
Bill Hassell, sysadmin
- Tags:
- sudo