topic Re: logging users permission changes in Operating System - HP-UX

logging users permission changes

Ahmed Douban — Sun, 10 Apr 2011 05:38:54 GMT

hi experts

may i ask if their is a way i can monitor or logging the users when they trying to change permission for specific files or updating timestamps for an existing files

thanks

Re: logging users permission changes

ManojK_1 — Sun, 10 Apr 2011 06:02:23 GMT

Hi,

In HP Unix you can enable auditing.

Manoj K

Re: logging users permission changes

Ahmed Douban — Sun, 10 Apr 2011 06:16:39 GMT

may you tell me the steps for enable auditing
and if the auditing enabled for all file systems or specific file system

thanks

Re: logging users permission changes

Mel Burslan — Sun, 10 Apr 2011 08:32:21 GMT

auditing is a subsystem in HPUX which can be turned on or off. When turned on, you can prrety much monitor everything your heart desires. Say somebody touched a file, even for read only, to attempting to modify or delete the file and whatever else you can think of. But asking someone to explain how auditing works in the forum, is not a reasonable request. You might want to google hpux auditing subsysetem phrase and start reading from the most obvious documents. It is a huge undertaking to enable auditing. It chews up your computers precious resources, from CPU to disk space and anything else in between. You should not consider turning it on lightheartedly just to monitor people changing file permissions, unless there is a criminal investigation going on and you are required to. Because this may bring your system down to its knees speed-wise

Re: logging users permission changes

ManojK_1 — Sun, 10 Apr 2011 08:33:48 GMT

You can go through the documents in the following link

http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c01944073/c01944073.pdf
Chapter 9 Audit Administration

Manoj K

Re: logging users permission changes

Dennis Handly — Sun, 10 Apr 2011 17:45:46 GMT

>updating timestamps for an existing files

As in touch(1) or just writing to a file/directory?
Just accessing a file will modify a timestamp.
In any case, you need heavy weight auditing.

Re: logging users permission changes

Bill Hassell — Mon, 11 Apr 2011 22:19:28 GMT

Have you looked at the user's shell history files? While this is not foolproof, it can show you which user is using chmod or touch. A knowledgeable user can bypass the shell history but there should be signs in the shell history file (like a very short file or commands like /usr/old/bin/sh) which would indicate suspicious activity. Don't rule out bad scripts ad bad applications that do stupid things to files and directories.

Re: logging users permission changes

Dennis Handly — Sat, 16 Apr 2011 09:41:46 GMT

>Bill: A knowledgeable user can bypass the shell history but there should be signs

A user can even use vi to execute commands.