HPE Community
Operating System - HP-UX
1826219 Members
3337 Online
109691 Solutions
New Discussion

Auditing Trusted mode

 
SOLVED
Go to solution
Randy Gelineau
Occasional Advisor

‎06-07-2004 03:16 AM

‎06-07-2004 03:16 AM

Auditing Trusted mode

I have trusted mode installed and configured on many HPUX 11i workstations. We are have a security requirement to audit the systems each week. We are having trouble keeping up with the large amount of log entries. We ultimately would like to automate the auditing or at least get the log entries into a more human readable form. Is there a way to accomplish this without writing an entire application?
0 Kudos
Reply
2 REPLIES 2
RAC_1
Honored Contributor

‎06-07-2004 03:18 AM

‎06-07-2004 03:18 AM

Re: Auditing Trusted mode

You can audit a event that you want. Like delete etc.

man audevent. audevent -e "event_you_want_to_monitor"

Anil
There is no substitute to HARDWORK
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎06-07-2004 03:38 AM

‎06-07-2004 03:38 AM

Solution

Re: Auditing Trusted mode

Hi,

Auditing doesn't provide may tools. You need to use 'audisp' command to filter out the events and the users.

Moreover, if you enable all the events, then that is what you will get. My consideration would be to audit the default events -moddac, login, admin and the event modaccess + the system calls execv and execve. The last two system calls may log all the commands executed by the users through shell.

You can probably write an awk script to parse out the 'audisp' output and put it in a human readable format. The first row of the output contains the names of the fields.

You may also want to look at IDS/9000 that you can use to get better format in a centralized location.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.