HPE Community
Operating System - HP-UX
1836987 Members
2233 Online
110111 Solutions
New Discussion

Re: Audit on non-trusted system

 
SOLVED
Go to solution
Kirill Cherkashin
Frequent Advisor

‎11-25-2003 06:04 PM

‎11-25-2003 06:04 PM

Audit on non-trusted system

Hi,

Is it possible to turn on auditing on non-trusted system?

Kirill
0 Kudos
Reply
6 REPLIES 6
Elmar P. Kolkman
Honored Contributor

‎11-25-2003 06:06 PM

‎11-25-2003 06:06 PM

Solution

Re: Audit on non-trusted system

Absolutely. Auditing only records a lot of the activity on your system, and has nothing to do with being trusted or not.
Every problem has at least one solution. Only some solutions are harder to find.
Reply
Darren Prior
Honored Contributor

‎11-25-2003 09:35 PM

‎11-25-2003 09:35 PM

Re: Audit on non-trusted system

No. Auditing (to the best of my knowledge) requires a trusted system. If you try to configure auditing on a non-trusted system through SAM it will prompt you to convert the system.

If you attempt to run audsys from the command line on an untrusted system it will complain that auditing is not setup correctly. A user's audit ID is defined within /tcb, so on an untrusted system audusr will not work.

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
Kirill Cherkashin
Frequent Advisor

‎11-25-2003 11:07 PM

‎11-25-2003 11:07 PM

Re: Audit on non-trusted system

Darren,
Not exactly. It seems to me that I successfully turned on auditing through /etc/rc.config.d file.

In /etc/rc.config.d/auditing I found this:

1.
# AUDITING: Set to 1 to enable the auditing system. Note: if auditing
# is enabled via SAM, the AUDITING and other configuration
# variables are ignored.
#

2. audsys output

# audsys
auditing system is currently on
current file: /.secure/etc/audfile1
next file: /.secure/etc/audfile2
statistics- afs Kb used Kb avail % fs Kb used Kb avail %
current file: 1000 0 100 143360 61384 57
next file: 1000 0 100 143360 61384 57
#


0 Kudos
Reply
Darren Prior
Honored Contributor

‎11-25-2003 11:27 PM

‎11-25-2003 11:27 PM

Re: Audit on non-trusted system

Hi Kirill,

I agree that you have enabled auditing, and you obviously have the config file (audnames), but the results you get will be meaningless as there are no audit IDs.

The following doc discusses auditing, one of the first points is that it's provided with a trusted system:
http://docs.fc.hp.com/cgi-bin/onlinedocs.py?mpn=B2355-90121&service=hpux&path=../B2355-90121/00/00/18&title=Administering%20Your%20HP-UX%20Trusted%20System

Can I ask 2 questions:

1) Are you using the shadow password product?
This might make a difference, if audit IDs are present. I've not used this product yet (most people tend to trust the system rather than use just the shadow password product - in my experience.)

2) What are you hoping to get from running auditing?

regards,

Darren.
Calm down. It's only ones and zeros...
Reply
Kirill Cherkashin
Frequent Advisor

‎11-26-2003 12:57 AM

‎11-26-2003 12:57 AM

Re: Audit on non-trusted system

Hi Darren,


1) I am using and not using shadow passwords at the same time.;-)
One machine has at the moment shadowing and second one is waiting until nearest weekend because we need to reboot the box.
and I turn on auditing on them simultaneously.
Anyway you absolutely right I started to get emails from non-shadow machine complaining that we have problem with audit ID -
-----Original Message-----
From: root@mowux04 [mailto:root@mowux04]
Sent: Wednesday, November 26, 2003 2:04 PM
Subject:
Cron: Your job did not contain a valid audit ID. See your system administrator.

The 'shadow' box keeps silence.

In fact I'd rather prefer to install shadow password file then to use trusted system.
I had not very nice experience after converting to trusted system.

2) I'm trying to turn on auditing only for purpose to be compliant with our internal policies. In fact our servers located in isolated internal networks and we really don't need to tighten security so much.
0 Kudos
Reply
Darren Prior
Honored Contributor

‎11-26-2003 01:15 AM

‎11-26-2003 01:15 AM

Re: Audit on non-trusted system

Hi Kirill,

1) So, auditing appears to work with the shadow password product... It sounds like it provides the audit IDs correctly which is a starting point. However I don't believe it is an HP supported configuration at this time - it's your choice if you want to use it though.

I understand your reasons for converting the box to trusted, there's a fair bit of info available on the forums regarding this topic too.

2) If your internal policies require auditing to be used I'd imagine they would require it to be applied in a way that is supported by the OS vendor. Auditing is probably quite useful to your environment - it's logging info about the way people use the system once they're logged on, as well as people attempting to gain access to it. You'll also need to investigate archiving and switching the audit files - again there's info on the forums.

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.