HPE Community
Operating System - HP-UX
1830821 Members
3349 Online
110017 Solutions
New Discussion

Re: Auditing on HP-UX 11.0

 
Jill Bowyer
New Member

‎03-28-2001 01:39 PM

‎03-28-2001 01:39 PM

Auditing on HP-UX 11.0

I need a way to keep better track of what commands are being executed as root on a system (both locally and remotely). Would using the existing auditing tools in HP 11 be the easiest way to do this? Can I do this without converting the entire system to trusted mode? If not, are there any free tools which can do the same thing? Thanks in advance!
0 Kudos
Reply
6 REPLIES 6
Patrick Wallek
Honored Contributor

‎03-28-2001 02:10 PM

‎03-28-2001 02:10 PM

Re: Auditing on HP-UX 11.0

I haven't used auditing, but if you just want to track the commands issued by root, then make sure you have HISTORY enabled and set your HISTSIZE to something like 500, and then periodically review whatever your HISTFILE is. Mine is /.sh_history

0 Kudos
Reply
Ralf Hildebrandt
Valued Contributor

‎03-28-2001 11:20 PM

‎03-28-2001 11:20 PM

Re: Auditing on HP-UX 11.0

Watching history will only work, if the root users have sponge for brains: The can easily remove that file, or link it against /dev/null.

I'd say revoke root privileges and ONLY allow specific users to perform duties requiring root privileges using "sudo".
Postfix/BIND/Security/IDS/Scanner, you name it...
0 Kudos
Reply
Stephen Bouzan
Frequent Advisor

‎03-29-2001 12:22 AM

‎03-29-2001 12:22 AM

Re: Auditing on HP-UX 11.0

If you do use security audit tools on HP-UX make sure you write logs to a mount point with plenty of room because they get large rather quickly.
False sense of well being.
0 Kudos
Reply
Jill Bowyer
New Member

‎03-30-2001 09:15 AM

‎03-30-2001 09:15 AM

Re: Auditing on HP-UX 11.0

I guess I should have been more specific. Shell histories are interesting when they work, but I also want to keep an eye on things like what files are being changed. Tripwire was suggested but the old free version isn't very practical for us. I was unable to find a solution that was both free as well as up-to-date. That's why I was looking into what's native to HP. As for using sudo, yes, that would be nice but unfortunately we can't do this in this particular case. Thanks for all your replies!
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎03-30-2001 01:32 PM

‎03-30-2001 01:32 PM

Re: Auditing on HP-UX 11.0

You might want to take a look at RCS. RCS is Revision Control System and you can set it up to look at any files you want to monitor.

Here are some sitres on RCS:

http://www.gnu.org/directory/rcs.html

http://www.gnu.org/directory/cvs.html

Here is an article from SysAdmin Magazine on setting up Web/RCS to work with Oracle. It should still be informative for you, even if you aren't running Oracle.

http://www.sysadminmag.com/articles/2000/0002/0002a/0002a.htm

0 Kudos
Reply
Jim Hendrick
Advisor

‎04-04-2001 06:26 AM

‎04-04-2001 06:26 AM

Re: Auditing on HP-UX 11.0

Hi,
I would recommend two things:
1) disable remote root commands
2) use sudo for all root access. It's available at a number of places, but you should start by going to:
http://www.courtesan.com/sudo/index.html
and reading up on it.

To elaborate a bit. Regarding remote root commands, unless the remote system (and it's administrative staff) is *completely trusted*. This is a very risky thing to do. I assume you allow this using the "R" commands (rsh, rlogin, rexec, etc.). These do no authentication at all other than that the request came from root on some remote system. You can restrict this a bit using /var/adm/inetd.sec to control (any) services that are run from /etc/inetd.conf (similar to tcp_wrapper which is available for all UNIX systems and is also another *essential* security tool) but it is still very risky.

As to "sudo", it allows very fine grained control over which user can run what command(s) on which system(s) as which user. Really, do check it out. It might address a lot of your issues with both logging *and* remote comands as well if it were used on the remote systems too. Command logging is done via syslog (using local2 by default) and thus can be forwarded to a central loghost if you run it on a number of systems.

CAVEATS:
Do not give any root sudo privs to someone you would not trust with root. Period.
Do not assume there are no other ways of running root commands (especially since syslog can be stopped/restarted pretty easily to hide the audit trail)
Do not attempt to ram this one down your administrators throats. Introduce it slowly and gain some strong converts in the admin staff before rolling it out fully. Ask the best admin to help you set it up and "try" using it for a week or so (while still allowing root login or "su"). Once you have some strong allies (and have worked out your local site specific gotchas) then you can restrict who has the root password/can "su".
GOTCHAS
sudo command - runs "command as root
sudo command > file - writes to "file" as you (not root)
sudo command1 | command2 - runs command1 as root and command2 as you. If you need to pipe commands together do:
sudo command1 | sudo command2


Good Luck!!

Jim




0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.