topic Re: Syslog.conf file configuration in Operating System - HP-UX

Syslog.conf file configuration

Venkatesh_16 — Wed, 29 Jul 2009 14:35:26 GMT

Hi there,

We gonna have to integrate HP-UX server to a centralized RSA enVision Log management tool for meeting our compliance requirements.

From HP-UX we need to enable the following events by editing the /etc/syslog.conf file:

* All actions taken by any individual with administrative privileges

* Initialization of the audit logs

* Creation and deletion of system-level objects

* Authentication events (Log off/Logon)

* Invalid Logon attempts due to incorrect password.

It would be great if you could let me know the
facility.level combination for the events above. For e.g I'm aware for authentication events I'd use "auth.debug". For other I'm not quite sure about the facility which handles such events. Thank you in advance.

V

Re: Syslog.conf file configuration

Venkatesh_16 — Thu, 30 Jul 2009 13:20:48 GMT

Folks, any takers for this post? I've got points to offer. Thx

Re: Syslog.conf file configuration

Patrick Wallek — Thu, 30 Jul 2009 15:13:49 GMT

The majority of these cannot be done with syslog.

You would probably be better off looking at other products and see if that fit a part of what you need.

Things that come to mind --

Role Based Access Control (RBAC) from HP.
http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=AccessControl

PowerBroker from Symark
http://www.symark.com/products/pboverview.html

>>Creation and deletion of system-level objects

I'm not sure what you mean by this.

Re: Syslog.conf file configuration

Rick Garland — Thu, 30 Jul 2009 16:36:52 GMT

As mentioned, not everything here can go into syslog facility. There are some 3rd party products that work real well and should satisfy your requirements.

All actions by individual with administrative rights - can use the 'rootsh' in conjunction with sudo. This creates a log file that logs every key stroke. Use this with sudo and you can see when sudo was invoked. The sudo log can be appended to the syslog.

Invalid login - this is logged in the syslog file on a trusted system, can also use the 'last' & 'lastb' commands which come from the wtmp & btmp files

Creation/Deletion of system level objects - unsure exactly what you mean but if you are talking OS level files (or any file for that matter) look into tripwire; it is on the iExpress.

Initialize audit log - the OS will log these events, in the rc.log at boot and typically in the syslog already.

Authentication events - you can get from the 'last' command to see who logon when and for how long.

Unfortunately, not everything will be in 1 location unless you jump through some hoops and customize.