https://community.hpe.com/t5/operating-system-hp-ux/auditing-without-trusted-system/m-p/4955153#M740293 Is there a way to audit files/directories/logins without enabling trusted system?<BR /><BR /> Wed, 25 Jan 2006 15:41:29 GMT Tonya Underwood 2006-01-25T15:41:29Z https://community.hpe.com/t5/operating-system-hp-ux/auditing-without-trusted-system/m-p/4955153#M740293 Is there a way to audit files/directories/logins without enabling trusted system?<BR /><BR /> Wed, 25 Jan 2006 15:41:29 GMT https://community.hpe.com/t5/operating-system-hp-ux/auditing-without-trusted-system/m-p/4955153#M740293 Tonya Underwood 2006-01-25T15:41:29Z https://community.hpe.com/t5/operating-system-hp-ux/auditing-without-trusted-system/m-p/4955154#M740294 Let me clarify... audit directories<BR /><BR />using the following audits:<BR />Admin <BR />Close <BR />Create <BR />Delete <BR />Modaccess <BR />Moddac <BR />Open <BR />Process - is it possible to restrict this to processes generated by command line access from a login? (i.e., I don't necessarily need to know about automated app processes, just commands run from a login shell)<BR />Removable <BR />Login <BR /><BR /><BR />Thank You<BR />Tonya Wed, 25 Jan 2006 15:58:43 GMT https://community.hpe.com/t5/operating-system-hp-ux/auditing-without-trusted-system/m-p/4955154#M740294 Tonya Underwood 2006-01-25T15:58:43Z https://community.hpe.com/t5/operating-system-hp-ux/auditing-without-trusted-system/m-p/4955155#M740295 From what I read you cannot audit an hpux server without converting to a trusted server, but maybe these threads can be of help:<BR /><BR /><A href="http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=969783" target="_blank">http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=969783</A><BR /><BR />and this document:<BR /><BR /><A href="http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUX-HIDS" target="_blank">http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUX-HIDS</A> Wed, 25 Jan 2006 16:58:41 GMT https://community.hpe.com/t5/operating-system-hp-ux/auditing-without-trusted-system/m-p/4955155#M740295 Deoncia Grayson_1 2006-01-25T16:58:41Z https://community.hpe.com/t5/operating-system-hp-ux/auditing-without-trusted-system/m-p/4955156#M740296 Tonya,<BR /><BR /> Are you running 11.11 or 11.23 ? It is possible to enable auditing in 11.23 without converting the system to trusted.<BR /> <A href="http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=SecurityExt" target="_blank">http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=SecurityExt</A><BR /><BR /> But why would you not want to trust the system ?<BR /><BR />Sundar Wed, 25 Jan 2006 17:06:10 GMT https://community.hpe.com/t5/operating-system-hp-ux/auditing-without-trusted-system/m-p/4955156#M740296 Sundar_7 2006-01-25T17:06:10Z https://community.hpe.com/t5/operating-system-hp-ux/auditing-without-trusted-system/m-p/4955157#M740297 11.00 :(<BR /><BR />My customer has stated that it will cause problems with the applications. We are trying to understand the reason why, but this information is difficult to get. Wed, 25 Jan 2006 19:19:34 GMT https://community.hpe.com/t5/operating-system-hp-ux/auditing-without-trusted-system/m-p/4955157#M740297 Tonya Underwood 2006-01-25T19:19:34Z https://community.hpe.com/t5/operating-system-hp-ux/auditing-without-trusted-system/m-p/4955158#M740298 OK... so we must trust!! :)<BR /><BR />Can I turn on auditing selective filesystems? Turn off auditing on some filesystems? How?<BR /><BR />Thanks,<BR />Tonya Wed, 25 Jan 2006 19:36:49 GMT https://community.hpe.com/t5/operating-system-hp-ux/auditing-without-trusted-system/m-p/4955158#M740298 Tonya Underwood 2006-01-25T19:36:49Z https://community.hpe.com/t5/operating-system-hp-ux/auditing-without-trusted-system/m-p/4955159#M740299 Look at this document for more information on auditing:<BR /><BR /><A href="http://docs.hp.com/en/B2355-90121/ch02s05.html" target="_blank">http://docs.hp.com/en/B2355-90121/ch02s05.html</A><BR /> Thu, 26 Jan 2006 17:21:41 GMT https://community.hpe.com/t5/operating-system-hp-ux/auditing-without-trusted-system/m-p/4955159#M740299 Deoncia Grayson_1 2006-01-26T17:21:41Z https://community.hpe.com/t5/operating-system-hp-ux/auditing-without-trusted-system/m-p/4955160#M740300 Yes, I've read that document. It does not address this issue. Does all this silence mean nobody knows? If there is a way, I do not see it documented. I was hoping someone had found a flat file you can modify, something... <BR /><BR />Tonya Fri, 27 Jan 2006 08:09:08 GMT https://community.hpe.com/t5/operating-system-hp-ux/auditing-without-trusted-system/m-p/4955160#M740300 Tonya Underwood 2006-01-27T08:09:08Z https://community.hpe.com/t5/operating-system-hp-ux/auditing-without-trusted-system/m-p/4955161#M740301 The choices for auditing are shownj in SAM. Since auditing occurs at the kernel level, individual files and directories can't be differentiated. You can audit reads and writes (which the kernel understands) but the actual filename is part of the user space. A user program requests that a file be opened by communicating with the LVM and filesystem code and gets back a file descriptor block. Reading and writing that file requires the filesystem code to translate the record in the file into an lvol block and the LVM code translates this into an actual kernel read/write request for the disk (which can be audited). Fri, 27 Jan 2006 09:12:31 GMT https://community.hpe.com/t5/operating-system-hp-ux/auditing-without-trusted-system/m-p/4955161#M740301 Bill Hassell 2006-01-27T09:12:31Z https://community.hpe.com/t5/operating-system-hp-ux/auditing-without-trusted-system/m-p/4955162#M740302 I see... that explains it. Thanks! Fri, 27 Jan 2006 09:17:30 GMT https://community.hpe.com/t5/operating-system-hp-ux/auditing-without-trusted-system/m-p/4955162#M740302 Tonya Underwood 2006-01-27T09:17:30Z