topic Re: Auditing Trusted mode in Operating System - HP-UX

Auditing Trusted mode

Randy Gelineau — Mon, 07 Jun 2004 10:16:13 GMT

I have trusted mode installed and configured on many HPUX 11i workstations. We are have a security requirement to audit the systems each week. We are having trouble keeping up with the large amount of log entries. We ultimately would like to automate the auditing or at least get the log entries into a more human readable form. Is there a way to accomplish this without writing an entire application?

Re: Auditing Trusted mode

RAC_1 — Mon, 07 Jun 2004 10:18:30 GMT

You can audit a event that you want. Like delete etc.

man audevent. audevent -e "event_you_want_to_monitor"

Anil

Re: Auditing Trusted mode

Sridhar Bhaskarla — Mon, 07 Jun 2004 10:38:41 GMT

Hi,

Auditing doesn't provide may tools. You need to use 'audisp' command to filter out the events and the users.

Moreover, if you enable all the events, then that is what you will get. My consideration would be to audit the default events -moddac, login, admin and the event modaccess + the system calls execv and execve. The last two system calls may log all the commands executed by the users through shell.

You can probably write an awk script to parse out the 'audisp' output and put it in a human readable format. The first row of the output contains the names of the fields.

You may also want to look at IDS/9000 that you can use to get better format in a centralized location.

-Sri