System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Logging administrative changes

dirkdevos
Frequent Advisor

Logging administrative changes

I am hoping that somebody can point me in the right direction on this. The goal is to be able to identify whether a users account has been changed and the user ID that made the change. We want to verify that nobody has changed a user's priveledges without the required paperwork.

 

We have SSH installed and I can look at the syslog file to see who logged on but I am not able to see if they modified the user's priveledges.

 

Any ideas on this.

10 REPLIES
RJHall
Frequent Advisor

Re: Logging administrative changes

That sounds like something that HP-UX HIDS might be able to detect, if you configure it to capture the required events.

Ken Grabowski
Respected Contributor

Re: Logging administrative changes

What are you referring to when you say "change privileges"?

dirkdevos
Frequent Advisor

Re: Logging administrative changes

What I want to know is if somebody creates a new account or updates an existing account to give that person system admin rights. Basically if an account/user is allowed more access to the system than what was requested.

dirkdevos
Frequent Advisor

Re: Logging administrative changes

I will take a look at that. I started looking at what SMH (SAM) would log from an auditing viewpoint but there is something about "converting to a trusted system" which the system is not allowing me to do. When I looked at SMSE the only version was for HP-UX 11.2* and I am running 11.31.

 

Ken Grabowski
Respected Contributor

Re: Logging administrative changes

Well, as mentioned before installing HIDS can give you some trails.  It's along the lines of Tripwire.  Free versions of that can also be found, or you can buy the more complete commercial version of Tripwire.

 

In HP-UX you only have users and one administrator "root". If you are granting administrative rights you would have to be using sudo or RBAC. Both of those can do logging.  How effective your tracking is will depend on how well you set them up. HP-UX RBAC is much more complete than sudo, and more difficult to setup.  However, if you give somebody the root password or the ability to become root via "su -" it may be difficult to track their actions.  

 

In a secure environment root can only login at the console and only experienced administrators are given the password. It should only be used when absolutely required.  All other occasions, a normal user account should be used to login and sudo or RBAC is used to executed commands with a higher privilege. The system should be configured to trusted, and have audsys configured and running. Check the manpage audsys (1M). All users should be configured with a .sh_history file.  It will not give you dates and time, but will include command lines run.  You can create system utilities to collect and date stamp the .sh_history files of users and store in a secure location for later use, if needed.

dirkdevos
Frequent Advisor

Re: Logging administrative changes

Thanks for the information. We currently have the system locked down so that root can only login at the console and users are limited to certain commands via sudo so we are fairly secure. So if I can get the system into a trusted mode and get audsys up and running I should be good.

Bill Hassell
Honored Contributor

Re: Logging administrative changes

Setting Trusted on 11.31 is just fine -- unless you have shadow passwords enabled. You'll need to revert back to standard security and then convert to Trusted. Although Trusted is 'deprecated' for future releases, 11.31 seems to be the only release for the future so you're just fine.

 

Now you've done the right thing to restrict root to console-only, and I assume that no root user logs in using the console except under extreme conditions (loss of disks, boot problems, crashes). You may wish to restrict the console login with a non-default password.

 

Now only a root user (and the actual user) can change account settings. So the last command will tell you when people are logging in and from which IP address:

 

last -R -100

 And of course the shell history file (you do have it setup, correct) lists the root user commands. sudo commands are logged separately. And your sudoers file prevents sudo to a shell like ksh, sh, csh, etc, correct?

 

Using audsys will require very careful selection of the audited events. You may end up wit multi-gigabyte audit files every day and no easy way to find the deasired information.

 

It may be prudent to focus on the changes that caused problems and address the mechanisms available to make those changes. For instance, if .profile is getting modified or directory permissions are being changed, only the user and root user can make those changes -- unless someone has used the dreaded 777 'fix' to make something work. Except for temp directories, 777 should never appear on directories without a documented exception...and for files, 777 should always be forbidden.

 

 

 

 



Bill Hassell, sysadmin
dirkdevos
Frequent Advisor

Re: Logging administrative changes

Thanks for the information. Nothing has caused any issues. I am trying to make sure that the servers that are facing the outside world are PCI compliant and that when my VP asks for an audit log I have the information available.

 

Thanks,

    Dirk

Ken Grabowski
Respected Contributor

Re: Logging administrative changes

PCI compliant!  If your referring PCI DSS (Payment Card Industry Data Security Standard) there is a lot more to consider. Your original post appeared to refer to normal administrator and UNIX user account management and audit requirements.  If it's PCI DSS your looking to be compliant with, you have a lot more to do both on and off the UNIX system.  This is normally a team effort that goes beyond any one system. I would suggest starting with reviewing the information on these sites and seeing who in your organization is tasked with meeting the overall standards.

 

https://www.pcisecuritystandards.org/

http://www.pcicompliance101.net/

 

dirkdevos
Frequent Advisor

Re: Logging administrative changes

Yes, I am talking about PCI DSS. For PCI 3.0 there are some additional things that we need to do and I am just looking at the access to our apache servers. We have taken root access away and restricted user access to certain commands using "sudo".

 

What I need now is to make sure that every time that say for example the "passwd" command gets executed that it is logged and accounted for.

 

In short, I want to try and make sure that we have locked down the server as much as we can, log certain "activity" and verify that "activity" with the user.