SAM: Security and Auditing

A_Monk — Tue, 30 May 2006 11:27:20 GMT

I'm very new to HP-UX. Please bear with me!

The Security and Auditing sub-program in SAM offers many events which can be enabled for auditing.

Is there a paper outlining the best practice on what to be enabled in a high, medium and low security environment? Any pointers are appreciated.

Many thanks in advance.

Re: SAM: Security and Auditing

Rick Garland — Tue, 30 May 2006 12:27:33 GMT

Lots of resources available - inside and outside of the ITRC.

Depending on how tight you need to be with security, are you a public or private company, do you have external audits to go through, etc...

The resources cover all aspects. In the ITRC do a search on HPUX Security - check out the Bastille product.

On google do a search for UNIX security. Lots of hits.

There isn't 1 good resource, there are many good resources!

Re: SAM: Security and Auditing

Jeff Schussele — Tue, 30 May 2006 12:55:30 GMT

Well....first off you need to determine just how much space you can afford to assign to the audfiles. In high security envs you may need well over 8 GBs to hold the data for a reasonable period. Also just what the performance hit will be.
For low 512MB may suffice.
We employ medium level & use 2GB.
Below is a sample auditing config file for medium level - file locations redacted for obvious reasons. This is more to give you an idea of just *what* you should be auditing - mainly who's logging in & when as well as what they're modifying and/or deleting:

#!/sbin/sh
# @(#)B.11.11_LR
# Auditing configuration. See audsys(1m), audevent(1m)
#
# AUDITING: Set to 1 to enable the auditing system. Note: if auditing
# is enabled via SAM, the AUDITING and other configuration
# variables are ignored.
#
# PRI_AUDFILE: Pathname of file where audit records begin to be logged.
# PRI_SWITCH: switch size (maximum size in kbytes for primary audit log file)
# SEC_AUDFILE: file audit system switches to when primary reaches switch size
# SEC_SWITCH: switch size of secondary file (maximum size in kbytes for
# secondary audit log file)
#
# Note: If the system has any mounted volumes, you might want to put the
# primary and secondary audit log files on different volumes to take maximum
# advantage of audit file switching.
#
# Note: For security, the path to the audit files must not be readable or
# writable except by authorized users.
#
# AUDEVENT_ARGS:
# Arguments to the audevent command. See audevent(1m)
# There are three instances of AUDEVENT_ARGS.
#
# AUDEVENT_ARGS1 describes those events that are audited
# for both success and failure.
#
# AUDEVENT_ARGS2 describes those events that are success only.
#
# AUDEVENT_ARGS3 describes those events that are failure only.
#
# A null string for AUDEVENT_ARGSx is assigned to arguments
# that don't apply.
#
# By default, AUDEVENT_ARGS1 is set to:
# "-P -F -e moddac -e login -e admin"
# which causes audevent to deal with:
# 1) changing discretionary access control (DAC),
# 2) logging in, and
# 3) administering the system will be audited.
# While these may be a reasonable defaults on some systems,
# only the security officer/administrator can determine exactly
# what is needed.
#
# AUDOMON_ARGS: Arguments to the audomon daemon. See audomon(1m)
# By default, AUDOMON_ARGS is set to "-p 20 -t 1 -w 90".
# The audomon daemon takes the following arguments:
#
# fss = minimum percentage of free space left on an audit log file's
# file-system before switching to the secondary audit log file
# (which may reside on a separate volume/partition),
# or before taking protective action if no file space is left.
# (default: 20%)
# sp_freq = minimum wakeup interval (in minutes), at which point
# warning messages are generated on the console about
# switch points. Switch points are the maximum log file
# sizes and the percentage minimum free space specified.
# (default: 1 minute)
# warning = percentage of audit file space used or minimum free space
# used after which warning messages are sent to the console.
# (default: 90 - warning messages are sent when the files
# are 90% full or available free space is 90% used)
#
# Format: audomon -p fss -t sp_freq -w warning
#
AUDITING=1
PRI_AUDFILE=/XXXXXX/XXXXXXX/audfile1
PRI_SWITCH=153600
SEC_AUDFILE=/XXXXXX/XXXXXXX/audfile2
SEC_SWITCH=153600
AUDEVENT_ARGS1=" -P -F -e moddac -e login -e admin -e modaccess -e delete -s execv -s execve"
AUDEVENT_ARGS2=" -p -f -s utssys -s mpctl -s semctl -s semop "
AUDEVENT_ARGS3=""
AUDOMON_ARGS=" -p 20 -t 1 -w 99"

For *some* of the above syscalls there are man pages in the OS. For all others you should be able to get good descriptions on docs.hp.com. Some should be self-explanatory.

HTH,
Jeff

Re: SAM: Security and Auditing

A_Monk — Tue, 30 May 2006 14:00:38 GMT

Where can I find a document outlining/detailing the events auditable in each sub-programs in SAM's Security and Auditing?

Any pointers are appreciated.

Thanks,

A Monk

topic SAM: Security and Auditing in Operating System - HP-UX

SAM: Security and Auditing

Re: SAM: Security and Auditing

Re: SAM: Security and Auditing

Re: SAM: Security and Auditing