cancel
Showing results for 
Search instead for 
Did you mean: 

Tru64 audit date incorrect?

Roseanne Sauers_1
Occasional Visitor

Tru64 audit date incorrect?

I am new to UNIX, but because we have a machine in our environment, I am responsible for the security of the machine.
When I conduct an administrative audit on our machine, it brings up strings of activity, but all with the date of the audit request. Now I know that one of our settings must be off, but just don't know enough about it to know how to change the setting for the audit to show the actual date of activity.
Is there someone who can help me?
6 REPLIES
Jov
Honored Contributor

Re: Tru64 audit date incorrect?

Hi,

Its pushing my memory on Tru64 abit, but I recall there is an option to enable C2 Security, which is better than HP-UX's Trusted Mode (it was true to the C2 Security standard).

There are options for auditing, but you'll have to look them up. The Man pages are very helpful. Sorry can't provide more info as I don't have a system to verify.


Regards

Jov
Ravi_8
Honored Contributor

Re: Tru64 audit date incorrect?

Hi,

In our environment for security reason we disable SNMP,rsh,rcp on all Tru64 m/cs
never give up
Michael Schulte zur Sur
Honored Contributor

Re: Tru64 audit date incorrect?

Hi,

have you tried
sysman auditconfig
to see how it is set up?

what os and patch kit are you using?

Michael
Ann Majeske
Honored Contributor

Re: Tru64 audit date incorrect?

What tool/software are you using to do the administrative audit? What is the command that you are using? From your description it doesn't sound like you are using the Tru64 UNIX Audit subsystem that the other replys refer to. Without sufficient information there's not much we can do to help.

Ann

Roseanne Sauers_1
Occasional Visitor

Re: Tru64 audit date incorrect?

Ok, please have some patience with me. I looked on the computer and found that it was a Compaq Tru64 Unix v.5.1A Rev.1885
It is not connected to the internet. As far as I know, there have not been any updates or patches done to the computer, other than to the Sophos software that I update and run. And I know that antivirus doesn't have anything to do with auditing.

The folders I go through to do the audits are these:

Application Manager
System_Admin
DailyAdmin
Audit Manager
The screen I request the reports from is dxaudit:Generate Reports

I don't know if this will help, I hope it does. If you need any further information, please ask, and tell me how to obtain it from the computer.

I was checking out the Audit Configuration:Audit Event Category Selection and was provided the following choices:

Timesharing
Timesharing_extended_audit
all
exec
ipc
misc
obj_access
obj_creat
obj_delete
obj_modify
proc
profile_audit
profile_auth
profile_creat
profile_filesys
profile_net
profile_netmon
profile_proc
sysV_ipc
system
trusted_event

I think I would need to choose all of them except the timesharing categories, and maybe the ipc, but I am not sure what the ipc is. The rest look like categories I would need.

Also on my audit reports, these are the main categories that show up:
ruid/euid:
pid:
cmd name:
event:
char param:
operation:
result:
ip address:
timestamp:

and sometimes
ppid:

The timestamp always shows the date the audit was requested. And I don't know how to identify who was doing the work that created the audit.

Again, if you need more information to help me, please tell me where to find it. I feel like I stumble around in this, just trying to do the basics.
I wish I could be more help, or even had more time to work in this environment more so that I was better and more comfortable in it. Basically I am just doing what someone else told me to do, how I was told to do it. When I noticed and asked about the timestamp thing, it came as a surprise to him because he never paid any attention to it and he didn't know how to fix it. Also, he is no longer here to help me.

Thank you in advance for your assistance.
Ann Majeske
Honored Contributor

Re: Tru64 audit date incorrect?

Thanks for the information. You are using the audit subsystem supplied with Tru64. I've never used the GUI interface, so I can't say exactly why you're only getting timestamps from the current day. It may be that its only looking at the most recent audit file and not the previous ones or the GUI command that you're using is only looking at the current data as it comes in rather than the past data.

I've always used audit_tool (see "man audit_tool") to look at the audit data instead of the GUI. You use it on the audit log files in /var/audit. To make sure that the most recent data is in the audit log file, make sure to use the command "auditd -d" first to dump all of the audit data from the kernel buffers into the audit log file.

Ann