HPE Community
Operating System - HP-UX
1831348 Members
3022 Online
110024 Solutions
New Discussion

Auditing without Trusted System

 
SOLVED
Go to solution
Tonya Underwood
Regular Advisor

‎01-25-2006 07:41 AM

‎01-25-2006 07:41 AM

Auditing without Trusted System

Is there a way to audit files/directories/logins without enabling trusted system?

0 Kudos
9 REPLIES 9
Tonya Underwood
Regular Advisor

‎01-25-2006 07:58 AM

‎01-25-2006 07:58 AM

Re: Auditing without Trusted System

Let me clarify... audit directories

using the following audits:
Admin
Close
Create
Delete
Modaccess
Moddac
Open
Process - is it possible to restrict this to processes generated by command line access from a login? (i.e., I don't necessarily need to know about automated app processes, just commands run from a login shell)
Removable
Login


Thank You
Tonya
0 Kudos
Deoncia Grayson_1
Honored Contributor

‎01-25-2006 08:58 AM

‎01-25-2006 08:58 AM

Re: Auditing without Trusted System

From what I read you cannot audit an hpux server without converting to a trusted server, but maybe these threads can be of help:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=969783

and this document:

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUX-HIDS
If no one ever took risks, Michelangelo would have painted the Sistine floor. -Neil Simon
0 Kudos
Sundar_7
Honored Contributor

‎01-25-2006 09:06 AM

‎01-25-2006 09:06 AM

Re: Auditing without Trusted System

Tonya,

Are you running 11.11 or 11.23 ? It is possible to enable auditing in 11.23 without converting the system to trusted.
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=SecurityExt

But why would you not want to trust the system ?

Sundar
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Tonya Underwood
Regular Advisor

‎01-25-2006 11:19 AM

‎01-25-2006 11:19 AM

Re: Auditing without Trusted System

11.00 :(

My customer has stated that it will cause problems with the applications. We are trying to understand the reason why, but this information is difficult to get.
0 Kudos
Tonya Underwood
Regular Advisor

‎01-25-2006 11:36 AM

‎01-25-2006 11:36 AM

Re: Auditing without Trusted System

OK... so we must trust!! :)

Can I turn on auditing selective filesystems? Turn off auditing on some filesystems? How?

Thanks,
Tonya
0 Kudos
Deoncia Grayson_1
Honored Contributor

‎01-26-2006 09:21 AM

‎01-26-2006 09:21 AM

Re: Auditing without Trusted System

Look at this document for more information on auditing:

http://docs.hp.com/en/B2355-90121/ch02s05.html
If no one ever took risks, Michelangelo would have painted the Sistine floor. -Neil Simon
0 Kudos
Tonya Underwood
Regular Advisor

‎01-27-2006 12:09 AM

‎01-27-2006 12:09 AM

Re: Auditing without Trusted System

Yes, I've read that document. It does not address this issue. Does all this silence mean nobody knows? If there is a way, I do not see it documented. I was hoping someone had found a flat file you can modify, something...

Tonya
0 Kudos
Bill Hassell
Honored Contributor

‎01-27-2006 01:12 AM

‎01-27-2006 01:12 AM

Solution

Re: Auditing without Trusted System

The choices for auditing are shownj in SAM. Since auditing occurs at the kernel level, individual files and directories can't be differentiated. You can audit reads and writes (which the kernel understands) but the actual filename is part of the user space. A user program requests that a file be opened by communicating with the LVM and filesystem code and gets back a file descriptor block. Reading and writing that file requires the filesystem code to translate the record in the file into an lvol block and the LVM code translates this into an actual kernel read/write request for the disk (which can be audited).


Bill Hassell, sysadmin
0 Kudos
Tonya Underwood
Regular Advisor

‎01-27-2006 01:17 AM

‎01-27-2006 01:17 AM

Re: Auditing without Trusted System

I see... that explains it. Thanks!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.