https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-11-11-trusted-mode-audit-files/m-p/5419321#M732097 <P>My guess is that it might be because of thinking like "As the user was not able to enter the password that matched the claimed username, his/her identity could not be confirmed. Therefore, the log should show that the identity of the user was unknown at that point." The audit log is supposed to be comparable to a legal evidence record: if something is not verifiable, it should not be logged the same way as a certain fact.</P><P>&nbsp;</P><P>Another reason for omitting the usernames in this case would be an intent to protect users' passwords from accidental disclosure: I think there's research showing that typing a password in the username prompt is a common mistake.</P><P>&nbsp;</P><P>So, if your job is to read audit logs and you see a failing login attempt by username "S3kR1tP@$$" and a successful login by "joeuser" a few seconds afterwards from the same terminal/remote host, you would have a high confidence that Joe User just made a mistake of typing without looking, and that "S3kR1tP@$$" is in fact his password. As a result, you could now log in to the system pretending to be Joe User... and this is clearly unacceptable. Therefore, blanking out unproven usernames in the logs is a good security practice in addition of preserving the quality of the audit log as legal evidence.</P><P>&nbsp;</P> Thu, 15 Dec 2011 15:43:42 GMT Matti_Kurkela 2011-12-15T15:43:42Z https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-11-11-trusted-mode-audit-files/m-p/5418179#M732094 <P>After converting my C8000 HP-UX 11.11 over to trusted mode and turning on auditing I tested the login auditing feature. When I failed a login by mistyping a user password the audit log displayed that the login failed but it displayed the user as ??????? (question marks). Why doesn't it display the correct user id? How can I fix this so that the user id is displayed? Also how can I audit when a user logs out?</P> Wed, 14 Dec 2011 16:18:19 GMT https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-11-11-trusted-mode-audit-files/m-p/5418179#M732094 MikeCagg 2011-12-14T16:18:19Z https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-11-11-trusted-mode-audit-files/m-p/5418707#M732095 <P>You can also see login/logoff info by using last(1).</P> Thu, 15 Dec 2011 05:05:36 GMT https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-11-11-trusted-mode-audit-files/m-p/5418707#M732095 Dennis Handly 2011-12-15T05:05:36Z https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-11-11-trusted-mode-audit-files/m-p/5419109#M732096 <P>Thank you but my IT security dept. requires that the users/actions&nbsp;information is logged to the audit files. Do you know why I'm getting question marks instead of the user id? Is it patch related?</P> Thu, 15 Dec 2011 12:11:46 GMT https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-11-11-trusted-mode-audit-files/m-p/5419109#M732096 MikeCagg 2011-12-15T12:11:46Z https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-11-11-trusted-mode-audit-files/m-p/5419321#M732097 <P>My guess is that it might be because of thinking like "As the user was not able to enter the password that matched the claimed username, his/her identity could not be confirmed. Therefore, the log should show that the identity of the user was unknown at that point." The audit log is supposed to be comparable to a legal evidence record: if something is not verifiable, it should not be logged the same way as a certain fact.</P><P>&nbsp;</P><P>Another reason for omitting the usernames in this case would be an intent to protect users' passwords from accidental disclosure: I think there's research showing that typing a password in the username prompt is a common mistake.</P><P>&nbsp;</P><P>So, if your job is to read audit logs and you see a failing login attempt by username "S3kR1tP@$$" and a successful login by "joeuser" a few seconds afterwards from the same terminal/remote host, you would have a high confidence that Joe User just made a mistake of typing without looking, and that "S3kR1tP@$$" is in fact his password. As a result, you could now log in to the system pretending to be Joe User... and this is clearly unacceptable. Therefore, blanking out unproven usernames in the logs is a good security practice in addition of preserving the quality of the audit log as legal evidence.</P><P>&nbsp;</P> Thu, 15 Dec 2011 15:43:42 GMT https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-11-11-trusted-mode-audit-files/m-p/5419321#M732097 Matti_Kurkela 2011-12-15T15:43:42Z https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-11-11-trusted-mode-audit-files/m-p/5419373#M732098 <P>&gt;Another reason for omitting the usernames in this case would be an intent to protect users' passwords from accidental disclosure</P><P>&nbsp;</P><P>That's why lastb(1) and /var/adm/btmps requires root.</P> Thu, 15 Dec 2011 16:25:29 GMT https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-11-11-trusted-mode-audit-files/m-p/5419373#M732098 Dennis Handly 2011-12-15T16:25:29Z