topic Re: how to use auditing in Operating System - HP-UX

how to use auditing

JIM NIU — Tue, 13 Aug 2002 20:36:38 GMT

We have a consultant working here and we need to give him a root privileged ID, ie, an account that UID=0. We plan on turning on auditing on this ID. My question is that if we have a few other accounts that has the UID=0 which are used by other sysadmins, can auditing still tell me if certain events were triggered by consulant's account? Any thoughts/experience will be appreciated.

Re: how to use auditing

James R. Ferguson — Tue, 13 Aug 2002 20:44:01 GMT

Hi:

It's the 'uid' that identifies an account. '/etc/passwd' simply maps the uid value to a name. Thus, there would be no way to distinguish your consultant from the "real" root.

To enable auditing (accounting) have a look at the 'acct' man pages. You can also search docs.hp.com with a string "auditing" for more information.

Regards!

...JRF...

Re: how to use auditing

MANOJ SRIVASTAVA — Tue, 13 Aug 2002 20:50:34 GMT

Hi

Changing the UID to 0 or 3 will not help as everything will be run by the root only and u will find it diffcult to audit. The other alternative is to restrict direct loggint to root and then the users can SU to root to run the jobs , this way you can know by /var/adm/sulog as to who had lgged in as the root .

Another way is to ahve a restrive login like have a partial access .

Manoj Srivstava

Re: how to use auditing

Michael Tully — Tue, 13 Aug 2002 22:09:10 GMT

If they are auditors for example, the best way would be to:

Implement 'sudo' with pre-conceived commands that they are allowed to use, with everything copied to a 'typescript' file. See man 'script'

Sit with the consultant and run the commands yourself.

If they are auditors, why can't they give you a script to run which you can review before it is started?

When I've dealt with auditors, they do not under any circumstances get near a keyboard.

If you do not implement something to safeguard yourself, you don't what if any changes have been made.

Re: how to use auditing

doug hosking — Wed, 14 Aug 2002 06:29:02 GMT

The responses here show some common confusion
about the difference between accounting (acct)
and auditing (audsys, audisp, etc.).

If you really plan to use the auditing features
available within trusted mode, you should
be able to distinguish between the uid 0
accounts. This is because each login
session gets an audit ID in addition to
a UID. (See the man pages for getaudid,
setaudid, and audusr.)

Unless your system is badly misocnfigured, the audit ID is unique for each user on the system.
The audit records displayed by audisp should
let you trace the actions of this user.