HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Audit and OS Log File Generation and Collection
Operating System - HP-UX
1833337
Members
2652
Online
110051
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2001 01:17 AM
07-23-2001 01:17 AM
Audit and OS Log File Generation and Collection
Hello
I'm preparing for a client a concept describing which Audit files and OS log files on HP-UX and Windows2000 server should be used for audit data collection in a security point of view. Afterwards the audit data should be collected and placed on a secure environment. The management of the collection process (how often the data are copied, what happens when the disk is full and so on) should also be described. I'm sure that already other people must have developed such a concept. Has someone such a concept?
Part of the HP-UX log files is the syslog file. Different daemons are writing events to the syslog file. We now have to make a proposal to our client which events should be logged in the syslog in a security point of view. Is there someone who could give me some inputs which events sould be logged? Which daemons have to be configured accordingly? Is there a GUI to configure those daemons? I got the following requirements from our client:
In general All FAILED access attempts to objects to which an access control list or permission has been applied should be captured. This is of particular interest for OS system files and directories containing user documents of any sensitivity.
Audit Success events will be of interest in particular circumstances:
? Security Policy Changes
? Logon and Logoff
? File and Object Access in directories containing L3 sensitivity documents.
? User and group management
? Restart, Shutdown and System
It is not necessary to capture and audit system calls made by a process to its host operating system, unless circumstances warrant this being enabled in very specific cases over short periods of time (Process Tracking), however:
The interactive activity of privileged system accounts that have the capability if impacting the business of the BIS if improperly used (for example ?root?, ?sybbis?, ?sybase?, Win2K Domain Administrators, Novell SA level accounts) should be audited and logged in full (or as fully as technically possible)
Access by users outside their normal realm of activity should be tracked by using exception auditing.
Second question:
Do you have any recommendations which events in trusted mode should be monitored in a security point of view?
Sincerely
Daniel Brunner
I'm preparing for a client a concept describing which Audit files and OS log files on HP-UX and Windows2000 server should be used for audit data collection in a security point of view. Afterwards the audit data should be collected and placed on a secure environment. The management of the collection process (how often the data are copied, what happens when the disk is full and so on) should also be described. I'm sure that already other people must have developed such a concept. Has someone such a concept?
Part of the HP-UX log files is the syslog file. Different daemons are writing events to the syslog file. We now have to make a proposal to our client which events should be logged in the syslog in a security point of view. Is there someone who could give me some inputs which events sould be logged? Which daemons have to be configured accordingly? Is there a GUI to configure those daemons? I got the following requirements from our client:
In general All FAILED access attempts to objects to which an access control list or permission has been applied should be captured. This is of particular interest for OS system files and directories containing user documents of any sensitivity.
Audit Success events will be of interest in particular circumstances:
? Security Policy Changes
? Logon and Logoff
? File and Object Access in directories containing L3 sensitivity documents.
? User and group management
? Restart, Shutdown and System
It is not necessary to capture and audit system calls made by a process to its host operating system, unless circumstances warrant this being enabled in very specific cases over short periods of time (Process Tracking), however:
The interactive activity of privileged system accounts that have the capability if impacting the business of the BIS if improperly used (for example ?root?, ?sybbis?, ?sybase?, Win2K Domain Administrators, Novell SA level accounts) should be audited and logged in full (or as fully as technically possible)
Access by users outside their normal realm of activity should be tracked by using exception auditing.
Second question:
Do you have any recommendations which events in trusted mode should be monitored in a security point of view?
Sincerely
Daniel Brunner
1 REPLY 1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2001 02:21 AM
07-23-2001 02:21 AM
Re: Audit and OS Log File Generation and Collection
Hi Daniel
answer a few of your que. but not all .
1 .
if you want to monitor all the event in your system about login , bad login i will advise to use this file that contents all the data you need .
wtmp , btmp , utmp .
File utmp contains a record of all users logged onto the system. File
btmp contains bad login entries for each invalid logon attempt. File
wtmp contains a record of all logins and logouts.
Note that wtmp and btmp tend to grow without bound, and should be
checked regularly. Information that is no longer useful should be
removed periodically to prevent it from becoming too large. Also note
that wtmp and btmp are not created by the programs that maintain them.
Thus, if these files are removed, record-keeping is turned off.
FILES
/etc/utmp
/var/adm/wtmp
/var/adm/btmp
2. about trusted system
trusted system have a lot of sec. option
about the view of /etc/passwd ( all ***)
about locking user that have bad login
that you need to enter a password in a
single user mode and a lot of other option
the auditing of a trusted system aduit for
all system call that user is making
i will watch the system call rm , mv ,
newgrp , login .
but my advise is ot read wall that pdf of the trusted system and to see if this option is for you .
i m also sending the pdf of the trusted system
if you dont have it .
i know that i didnt answer all your que. but hope the i help .
answer a few of your que. but not all .
1 .
if you want to monitor all the event in your system about login , bad login i will advise to use this file that contents all the data you need .
wtmp , btmp , utmp .
File utmp contains a record of all users logged onto the system. File
btmp contains bad login entries for each invalid logon attempt. File
wtmp contains a record of all logins and logouts.
Note that wtmp and btmp tend to grow without bound, and should be
checked regularly. Information that is no longer useful should be
removed periodically to prevent it from becoming too large. Also note
that wtmp and btmp are not created by the programs that maintain them.
Thus, if these files are removed, record-keeping is turned off.
FILES
/etc/utmp
/var/adm/wtmp
/var/adm/btmp
2. about trusted system
trusted system have a lot of sec. option
about the view of /etc/passwd ( all ***)
about locking user that have bad login
that you need to enter a password in a
single user mode and a lot of other option
the auditing of a trusted system aduit for
all system call that user is making
i will watch the system call rm , mv ,
newgrp , login .
but my advise is ot read wall that pdf of the trusted system and to see if this option is for you .
i m also sending the pdf of the trusted system
if you dont have it .
i know that i didnt answer all your que. but hope the i help .
love computers
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP