HPE Community
Operating System - HP-UX
1838360 Members
2882 Online
110125 Solutions
New Discussion

Re: Auditing questions??

 
SOLVED
Go to solution
George Doller
Frequent Advisor

‎10-02-2002 06:19 AM

‎10-02-2002 06:19 AM

Auditing questions??

I turned on auditing in /etc/rc.config.d. I see data going to my audfile1, but when I type audisp -p. I get the following message:
audisp: can't read audit file ????? and then Note: # files opened successfully = 0.
I guess my first question is did I start it correctly? Any ideas on the error messages? Does my system need to be trusted in order for audit to work? Any input would be appreciated. Thanks
0 Kudos
Reply
8 REPLIES 8
Craig Rants
Honored Contributor

‎10-02-2002 06:34 AM

‎10-02-2002 06:34 AM

Re: Auditing questions??

Try specifing a file, i.e.

audisp -p /var/adm/acct

GL,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
Reply
Darren Prior
Honored Contributor

‎10-02-2002 06:39 AM

‎10-02-2002 06:39 AM

Re: Auditing questions??

Hi George,

Yes, the system must be trusted - but I'm guessing it is if you've got data going into the file. you just need to specify the audit log file, ie:

audisp -p /.secure/etc/audfile1

check the man page for confirmation - audisp(1M)

regards,

Darren.
Calm down. It's only ones and zeros...
Reply
George Doller
Frequent Advisor

‎10-02-2002 06:48 AM

‎10-02-2002 06:48 AM

Re: Auditing questions??

I tried audisp -p /home/.secure/etc/audfile1

and I get some information, but for every entry the user field says User=????????. Could this mean root?
At least I see something Thanks.
0 Kudos
Reply
George Doller
Frequent Advisor

‎10-02-2002 07:06 AM

‎10-02-2002 07:06 AM

Re: Auditing questions??

Is there anything else I can use besides auditing to see login attempts and things like that???
0 Kudos
Reply
Darren Prior
Honored Contributor

‎10-02-2002 07:12 AM

‎10-02-2002 07:12 AM

Re: Auditing questions??

Hi George,

now that depends on what events/system calls you are auditing! You may get further info from the group info - this could be a root user, or it could be from something like a failed login process where the user isn't known at that time.

Now you've got auditing working you need to work out what you want to get out of it :) I've always had a limited number of pieces of information that I need, so I use audevent to remove ALL events/system calls, then use audevent to add in just the ones I'm interested in.

regards,

Darren.
Calm down. It's only ones and zeros...
Reply
Darren Prior
Honored Contributor

‎10-02-2002 07:13 AM

‎10-02-2002 07:13 AM

Solution

Re: Auditing questions??

Hi again!

last and lastb could be useful if you only need login attempt info.

regards,

Darren.
Calm down. It's only ones and zeros...
Reply
Helen French
Honored Contributor

‎10-02-2002 07:18 AM

‎10-02-2002 07:18 AM

Re: Auditing questions??

Check this document (TKB#2200221753):
http://www1.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000063248221

Also select "Managing system security" and then "auditing" from this document:
http://www.docs.hp.com/hpux/onlinedocs/B2355-90672/B2355-90672.html

Life is a promise, fulfill it!
Reply
doug hosking
Esteemed Contributor

‎10-03-2002 11:14 AM

‎10-03-2002 11:14 AM

Re: Auditing questions??

George, re the '??????' display, every process normally has associated with it an audit ID, which is a constant throughout the lifetime of the process, even if the UID changes. The '??????' means there is not yet an audit ID associated with that process. This can be for a number of reasons. The process might have been started before auditing was turned on (or the system was converted to trusted mode). In other cases it is because you are not current on patches, especially inetd patches.

Re the previous reply about pacct, etc. please do not confuse auditing with process accounting. They are not the same. Using audisp to look at a process accounting file is not going to work.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.