Integrity Servers
cancel
Showing results for 
Search instead for 
Did you mean: 

Enable User activity auditing in HP-UX 11.31

 
Highlighted
Occasional Advisor

Enable User activity auditing in HP-UX 11.31

Dear Concern,

Please share me procedure to enable user activity auditing in HP-UX 11.31 system without converting the system in trusted mode and make it persistent after reboot.

Thanks.

With Best Regards,

Kauser 

 

4 REPLIES 4
Highlighted
HPE Pro

Re: Enable User activity auditing in HP-UX 11.31

Hello,

I just replied to a simillar post. Here is what I recommended:

Enabling auditing on HP-UX requires fair knowlegde on how it works. Since it deals with Security, you must take time to read through the documentation.

One more important aspect is managing the auditing logs. For example, unless you plan properly you run the risk of exhausting file system space. And there is a need to archive them on a regualr basis for record-keeping etc. 

I suggest that you go through the documentations for auditing thouroughly before embarking on this journey. You will find all documents at this location - http://www.hpe.com/info/hpux-security-docs

Some of the documents I usually refer are:

HP-UX 11iv2 and 11iv3 Security Configuring and Managing the Auditing System

HP-UX System Administrators Guide Security Management HP-UX 11i Version 3

The events, users, calls etc that can be configured are documented in /etc/audit/audit.conf. Site-specific config files will have to be included in another file /etc/audit/audit_site.conf.

The events can also be passed againts AUDEVENT_ARGS in /etc/rc.config.d/auditing

All the best.


I am a HPE Employee

Accept or Kudo

Highlighted
Occasional Advisor

Re: Enable User activity auditing in HP-UX 11.31

Hi,

If i want to enable audit for any particular user by following command

userdbset -u user_name AUDIT_FLAG=1

Then my queries are:

1. Should i need to enable trust mode to capture event my particular user?

2. Is this command will be persistent after OS reboot?

3. Is trust mode enable is mandatory for every category of auditing (like user, event or system call auditing)?

With Best Regards,

Kauser

Highlighted
Occasional Advisor

Re: Enable User activity auditing in HP-UX 11.31

Hi,

In addition to previous post, please share us process to enable particular user auditing and keep it persistent after reboot.

With Best Regards,

Kauser

 

Highlighted
HPE Pro

Re: Enable User activity auditing in HP-UX 11.31

Should i need to enable trust mode to capture event my particular user?

Answer :- userdbset is part of userdb database so it is incompatible with trusted. 

HP-UX Standard Mode Security Extensions (SMSE) (HP-UX 11i v2) Previously, the auditing system was only supported on systems converted to trusted mode. By installing the HP-UX Standard Mode Security Extensions bundle, you can now perform audits without converting the system to trusted mode. 

HP-UX Auditing System Extensions (HP-UX 11i v3) The auditing system is installed as part of the base HP-UX 11i v3 distribution. However, Auditing System Extensions bundle must be installed to make use of the AudReport and AudFilter product features.

SMSE is installed by default on 11.31

Is this command will be persistent after OS reboot?

Answer :- It updates userdb which is persistant after OS Reboot.

Is trust mode enable is mandatory for every category of auditing (like user, event or system call auditing)?

Answer :- userdb is part of SMSE HP-UX Standard Mode Security Extensions , not part of trusted.

Kinldy refer to the Audit Administration guide below :-

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=c02899022

I am a HPE Employee


I am a HPE Employee

Accept or Kudo