HPE Community
Operating System - HP-UX
1753756 Members
4819 Online
108799 Solutions
New Discussion

User Creation,Deletion,Modification auditing 11iv3

 
chindi
Respected Contributor

‎11-12-2014 09:29 PM

‎11-12-2014 09:29 PM

User Creation,Deletion,Modification auditing 11iv3

Hi ,

 

I have managed to start auditing in hpux 11iv3 for User Creation,Deletion,Modification  through following steps :

 

1. Create a new rule in /etc/audit/audit.conf. This is a regular text file and can be edited with 'vi'. Create a new line like the one below:
EVENT admin2= SELFAUD_EVENT admin
This category will just record audit events from programs that are self-auditing at the admin level.

2. Edit the /etc/rc.config.d/auditing file so it looks like the following:
AUDITING=1
PRI_AUDFILE=/var/.audit/audfile1
PRI_SWITCH=1000
SEC_AUDFILE=/var/.audit/audfile2
SEC_SWITCH=1000
AUDEVENT_ARGS1="-P -F -e admin2"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDEVENT_ARGS4=""
AUDOMON_ARGS=" -p 20 -t 1 -w 90"
The location of the audit files can be changed to whatever is required. With the limited set of actions being audited I would not expect the audit files to grow very fast.
An explanation of the arguments used for the AUDEVENT_ARGS and AUDOMON_ARGS are at the end of this document.

3. Start auditing by doing:
/sbin/init.d/auditing start

4. Once auditing is running you can display the audit data with the 'audisp' command.
To create a viewable file of the audited info:
audisp /var/.audit/audfile1 > auditfile.txt
- See more at: http://www.sourcedirect.com/blog/auditing-hp-ux-user-creation-deletion-and-modification#sthash.LJw2hDFf.dpuf

audisp /var/.audit/audfile1 > auditfile.txt

 

 

The problem is in logs , am not bale to identify IP/user-id  from which the changes are done ..for ex below 

 

 

Event: admin
Time: Tue Nov 11 15:09:49 14 IST
PID: 5966
PPID: 27261
User/Grp: 0/3(root/sys)
Groups: 3(sys), 0(root), 1(other), 2(bin), 4(adm), 5(daemon), 6(mail), 7(lp), 20(users)
"auditfile.txt" 667 lines, 23426 characters
SELF-AUDITING TEXT:
User= nlps uid=119 audid=30 Password or password attributes changed successfully

0 Kudos
Reply
1 REPLY 1
Bill Hassell
Honored Contributor

‎11-13-2014 05:49 AM

‎11-13-2014 05:49 AM

Re: User Creation,Deletion,Modification auditing 11iv3

Auditing is reporting on the actual event but doesn't log the context which made the changes. For instance, the password could have been changed by a cron or similar batch job, or from SAM or SMH, or running passwd command from a remote or local login. You can look at root user logins using the last command (last -R root | more) and try to match the login time with the audit report. But that doesn't work well is root users stay logged in for hours.

 

A better solution is to not allow any user to login as root and instead, use sudo to issue the command, as in:

 

$ sudo passwd billh

 

You'll need to edit the sudoers file to not allow a root shell to be run by sudo.

That way, every root user command will belogged by sudo.

sudo is not installed by default - you can get a copy from:

 

http://hpux.connect.org.uk/hppd/cgi-bin/search?term=sudo&Search=Search

or

http://www.sudo.ws/sudo/download.html

 

Note that sudo.ws does not have an 11.31 version prepackaged. Use the connect.org.uk site for that version.

HP does supply sudo as part of the Internet Express bundle but it has become quite difficult to locate as the bundles have been broken up into obtuse package names.

 



Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.