Security

How to enable Audit log for specific users and events in HP-UX 11.31 ?

 
Ashraf1
Advisor

How to enable Audit log for specific users and events in HP-UX 11.31 ?

Hi All,

As per management decission, I need to enable audit trail in HP-UX .  So I have enable audit by command 

audsys -n . So now how to configure it only for users?

 

Please need assist  for this issue from expert end.

6 REPLIES 6

Re: How to enable Audit log for specific users and events in HP-UX 11.31 ?

Take a look at this technical paper on the subject:

https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c02899022

p15 onwards starts to describe how to configure auditing for specific users and events, but I would read the whole thing to get a better understanding of what's really going on.


I am an HPE Employee
Accept or Kudo
KishJ
HPE Pro

Re: How to enable Audit log for specific users and events in HP-UX 11.31 ?

Greetings,

Enabling auditing on HP-UX requires fair knowlegde on how it works. Since it deals with Security, you must take time to read through the documentation.

One more important aspect is managing the auditing logs. For example, unless you plan properly you run the risk of exhausting file system space. And there is a need to archive them on a regualr basis for record-keeping etc. 

I suggest that you go through the documentations for auditing thouroughly before embarking on this journey. You will find all documents at this location - http://www.hpe.com/info/hpux-security-docs

Some of the documents I usually refer are:

HP-UX 11iv2 and 11iv3 Security Configuring and Managing the Auditing System

HP-UX System Administrators Guide Security Management HP-UX 11i Version 3

Hope it helps. All the best.

 


I am a HPE Employee

Accept or Kudo

KishJ
HPE Pro

Re: How to enable Audit log for specific users and events in HP-UX 11.31 ?

Hello again,

The events, users, calls etc that can be configured are documented in /etc/audit/audit.conf. Site-specific config files will have to be included in another file /etc/audit/audit_site.conf.

The events can also be passed againts AUDEVENT_ARGS in /etc/rc.config.d/auditing

As I mentioned in my earlier post, it is important that you read through the documentation to understand how the auditing on HP-UX works. 


I am a HPE Employee

Accept or Kudo

Ashraf1
Advisor

Re: How to enable Audit log for specific users and events in HP-UX 11.31 ?

Hi ,

 

Thanks to all for sharing the comments including document  site.

 

Already I have studied some documents . However I will check and go through all provided documents.

Tomorrow , I will share my new queries.

 

 

Regards,

Ashraf

Bill Hassell
Honored Contributor

Re: How to enable Audit log for specific users and events in HP-UX 11.31 ?

As  you can see from the depth of the auditing system, there can be an immense effort to setup and maintain the records. Then there is the question on how to immediately notify sysadmins of a potential problem.

You may find that simply keeping the login shell history would satisfy your management's request. Note that this would cover simple commands and possible mistakes, but would not be adequate for knowledgeable users trying to hide their activities.



Bill Hassell, sysadmin
Ashraf1
Advisor

Re: How to enable Audit log for specific users and events in HP-UX 11.31 ?

Hi All,

I have studied all document as per my strenth.

I have run all command in my test system. Here OS version is HP-UX 11.31   . After success, then we will run on live system

I have set to audit for user root and oracle only. Please check the command output as bellow .(#userdbget -a | grep AUDIT_FLAG=1)
I set only the events associated with the basic profile for auditing, use the following   command:
# audevent -P -F -r basic , please check the config log as bellow  by # cat /etc/audit/audit.conf

Also check the output by # cat /etc/rc.config.d/auditing

From /var/.audit location, I see the bellow file size

bash-4.3# du -sk audfile2.20200211_1235
12312 audfile2.20200211_1235
bash-4.3# du -sk audfile2.20200211_1241
1776 audfile2.20200211_1241

Command output:

bash-4.3# userdbget -a | grep AUDIT_FLAG=1
root AUDIT_FLAG=1
oracle AUDIT_FLAG=1


bash-4.3# cat /etc/rc.config.d/auditing

AUDITING=1
PRI_AUDFILE=/var/.audit/audfile1
PRI_SWITCH=1000
SEC_AUDFILE=/var/.audit/audfile2
SEC_SWITCH=1000
AUDEVENT_ARGS1=" -P -F -e create -e delete -e moddac -e modaccess -e open -e close -e process -e removable -e login -e admin -e ipccreat -e ipcopen -e ipcclose -e uevent1 -e uevent2 -e uevent3 -e ipcdgram -e readdac -s exit -s fork -s open -s close -s creat -s link -s unlink -s execv -s chdir -s mknod -s chmod -s chown -s .chmod_link -s mount -s umount -s setuid -s stime -s ptrace -s access -s kill -s stat -s setpgrp3 -s lstat -s pipe -s setgid -s acct -s reboot -s symlink -s .set_sys_info -s execve -s umask -s chroot -s fcntl -s ulimit -s vfork -s mmap -s munmap -s setgroups -s setpgid -s swapon -s fstat -s setpriority -s settimeofday -s fchown -s fchmod -s setresuid -s setresgid -s rename -s truncate -s ftruncate -s mkdir -s rmdir -s setrlimit -s .priv_grp_ctl -s rtprio -s plock -s lockf -s semget -s semop -s msgget -s shmget -s shmat -s shmdt -s .setmemwindow -s setdomainname -s vfsmount -s setacl -s fsetacl -s setaudid -s setaudproc -s setevent -s audswitch -s audctl -s getaccess -s fchdir -s accept -s bind -s connect -s recv -s recvfrom -s recvmsg -s send -s sendmsg -s sendto -s setsockopt -s shutdown -s socket -s socketpair -s semctl -s msgctl -s shmctl -s mpctl -s adjtime -s fattach -s fdetach -s serialize -s lchown -s sched_setparam -s sched_setscheduler -s clock_settime -s .perf_tool_ctl -s ftruncate64 -s fstat64 -s lockf64 -s lstat64 -s mmap64 -s setrlimit64 -s stat64 -s truncate64 -s setpgrp -s setregid -s mlock -s munlock -s mlockall -s munlockall -s shm_open -s shm_unlink -s sigqueue -s mq_open -s mq_close -s mq_unlink -s sem_open -s sem_unlink -s sem_close -s ttrace -s sendfile -s .sendfile_by_name -s sendfile64 -s modload -s moduload -s modpath -s getksym -s .kernel_module_ctl -s modstat -s .processor_ctl -s acl -s .p2p_bcopy_ctl -s .gang_sched_ctl -s .mrgctl -s settune -s pset_create -s pset_destroy -s pset_assign -s pset_bind -s pset_setattr -s pset_ctl -s __pset_rtctl -s .perf_ctl -s semtimedop -s .audit_tag_ctl -s .proc_sec_ctl -s .file_sec_ctl -s .cmpt_rules -s .postwait_ctl -s umount2 -s .setaudevent -s .procsm_setop -s .cachefsstat -s swapctl -s .audit_ctl -s .proc_mgmt_ctl -s .cell_olstar_lock -s .cell_olstar_specify -s .cell_olstar_backout -s .cell_olstar_unlock -s .cell_olstar_operate"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDEVENT_ARGS4=""
AUDOMON_ARGS=" -p 20 -t 1 -w 90"


bash-4.3# cat /etc/audit/audit.conf
#
# Default audit event mapping information
#
# DO NOT MODIFY THIS FILE. All site specific customerizations
# need to go into /etc/audit/audit_site.conf.
#

EVENT create= creat, mknod, pipe, symlink, mkdir, semget, msgget, shmget,
shmat, pset_create, SELFAUD_EVENT create

EVENT delete= rmdir, semctl, msgctl, shm_unlink, mq_unlink, sem_unlink,
pset_destroy, SELFAUD_EVENT delete

EVENT moddac= chmod, chown, umask, fchown, fchmod, semop, setacl, fsetacl,
lchown, acl, semtimedop, .chmod_link, SELFAUD_EVENT moddac

EVENT modaccess= link, unlink, chdir, setuid, setpgrp, setpgrp3, setgid,
chroot, ulimit, setgroups, setpgid, setresuid, setresgid, rename,
fcntl, lockf, shmdt, fchdir, shmctl, lockf64, setregid, .proc_sec_ctl,
.file_sec_ctl, .cmpt_rules, SELFAUD_EVENT modaccess

EVENT open= open, execv, execve, mmap, truncate, ftruncate, ftruncate64,
mmap64, truncate64, shm_open, mq_open, sem_open, ttrace, ptrace,
sendfile, sendfile64, .sendfile_by_name, SELFAUD_EVENT open

EVENT close= close, munmap, mq_close, sem_close, SELFAUD_EVENT close

EVENT process= exit, fork, kill, vfork, setpriority, rtprio, mlock,
munlock, mlockall, munlockall, sigqueue, SELFAUD_EVENT process

EVENT removable= mount, umount, umount2, vfsmount, SELFAUD_EVENT removable

EVENT login= SELFAUD_EVENT login

EVENT admin= stime, acct, reboot, swapon, setevent, settimeofday, setrlimit,
plock, swapctl, setdomainname, setaudid, setaudproc, audswitch,
audctl, .audit_ctl, .setaudevent, mpctl, adjtime, serialize,
sched_setparam, sched_setscheduler, clock_settime, setrlimit64,
modload, moduload, modpath, getksym, modstat, settune, pset_assign,
pset_bind, pset_setattr, pset_ctl, __pset_rtctl, .procsm_setop,
.priv_grp_ctl, .setmemwindow, .mrgctl, .audit_tag_ctl, .perf_ctl,
.perf_tool_ctl, .processor_ctl, .p2p_bcopy_ctl, .gang_sched_ctl,
.cell_olstar_backout, .cell_olstar_lock, .cell_olstar_operate,
.cell_olstar_specify, .cell_olstar_unlock, .kernel_module_ctl,
.set_sys_info, .proc_mgmt_ctl, .postwait_ctl, .cachefsstat,
SELFAUD_EVENT admin

EVENT ipccreat= bind, socket, socketpair, SELFAUD_EVENT ipccreat

EVENT ipcopen= accept, connect, fattach, SELFAUD_EVENT ipcopen

EVENT ipcclose= shutdown, fdetach, SELFAUD_EVENT ipcclose

EVENT uevent1= SELFAUD_EVENT uevent1

EVENT uevent2= SELFAUD_EVENT uevent2

EVENT uevent3= SELFAUD_EVENT uevent3

EVENT ipcdgram= SELFAUD_EVENT ipcdgram

EVENT readdac= access, stat, lstat, fstat, getaccess, fstat64, lstat64,
stat64, SELFAUD_EVENT readdac

SYSCALL_ALIAS gethostname= .set_sys_info

SYSCALL_ALIAS sethostname= .set_sys_info

SYSCALL_ALIAS uname= .set_sys_info

SYSCALL_ALIAS ustat= .set_sys_info

SYSCALL_ALIAS setuname= .set_sys_info

SYSCALL_ALIAS setsid= setpgrp3

SYSCALL_ALIAS setpgrp= setpgrp3

SYSCALL_ALIAS setpgrp2= setpgid

SYSCALL_ALIAS setprivgrp= .priv_grp_ctl

EVENT_ALIAS logoff= EVENT login

EVENT_ALIAS exec= execv, execve

EVENT_ALIAS net= EVENT ipccreat, EVENT ipcopen, EVENT ipcclose, EVENT ipcdgram

EVENT_ALIAS pset= pset_create, pset_destroy, pset_assign,
pset_bind, pset_setattr

EVENT_ALIAS sock= bind, recv, recvfrom, recvmsg, send, sendmsg, sendto,
setsockopt, socket, socketpair

PROFILE basic= EVENT admin, EVENT login, SELFAUD_EVENT moddac, execv, execve,
EVENT_ALIAS pset

bash-4.3# pwd
/var/.audit
bash-4.3# ls -la
total 288
drwxr-xr-x 220 root sys 131072 Feb 11 12:35 .
dr-xr-xr-x 28 bin bin 8192 Jan 2 17:44 ..
drwx------ 2 root sys 96 Dec 29 09:53 audfile1
drwx------ 2 root root 96 Feb 9 11:00 audfile2.20200209_1100
drwx------ 2 root root 96 Feb 9 11:07 audfile2.20200209_1107
drwx------ 2 root root 96 Feb 9 11:21 audfile2.20200209_1121
drwx------ 2 root root 96 Feb 9 11:30 audfile2.20200209_1130
drwx------ 2 root root 96 Feb 9 11:34 audfile2.20200209_1134
drwx------ 2 root root 96 Feb 9 11:39 audfile2.20200209_1139
drwx------ 2 root root 96 Feb 9 11:51 audfile2.20200209_1151
drwx------ 2 root root 96 Feb 9 12:05 audfile2.20200209_1205

drwx------ 2 root root 96 Feb 11 11:21 audfile2.20200211_1121
drwx------ 2 root root 96 Feb 11 11:36 audfile2.20200211_1136
drwx------ 2 root root 96 Feb 11 11:50 audfile2.20200211_1150
drwx------ 2 root root 96 Feb 11 12:05 audfile2.20200211_1205
drwx------ 2 root root 96 Feb 11 12:20 audfile2.20200211_1220
drwx------ 2 root root 96 Feb 11 12:35 audfile2.20200211_1235
drwx------ 2 root root 96 Feb 11 12:41 audfile2.20200211_1241

 

My query is as bellow
1.how to set time interval for file generate (suppoose , each file generate every 15 minutes)
2.how to create report from some specific file or all file ?
3.I have reboot the OS by root user but I don't find record from file for reboot which is mention in admin EVENT.

 

Please assit on this above issue .

Waiting  response from expert end.