HPE Community
Operating System - HP-UX
1834909 Members
2717 Online
110071 Solutions
New Discussion

Configuring Auditing - trusted mode

 
MohitAnchlia
Frequent Advisor

‎09-27-2006 01:09 PM

‎09-27-2006 01:09 PM

Configuring Auditing - trusted mode

In my Auditing file under "/etc/rc.config.d" I have following:

AUDITING=0
PRI_AUDFILE=/.secure/etc/audfile1
PRI_SWITCH=1000
SEC_AUDFILE=/.secure/etc/audfile2
SEC_SWITCH=1000
AUDEVENT_ARGS1="-P -F -e moddac -e login -e admin"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDOMON_ARGS="-p 20 -t 1 -w 90"

Questions:

1. Will this enable auditing by just having this file and having unix run in trusted mode.
2. What changes do I need to make to get all user commands executed by that user ..Any example would be helpful
3. What are user defined events ..Any example would be helpful
4. Auditing is set to 0, does it need to be 1.

0 Kudos
Reply
4 REPLIES 4
IT_2007
Honored Contributor

‎09-27-2006 01:21 PM

‎09-27-2006 01:21 PM

Re: Configuring Auditing - trusted mode

Best way is use sam and turn on auditing.

If you want to use auditing file in /etc/rc.config.d

set from "0" to "1" for AUDITING.

you can give some filesystem path where you want to save logs.
0 Kudos
Reply
Ninad_1
Honored Contributor

‎09-27-2006 03:39 PM

‎09-27-2006 03:39 PM

Re: Configuring Auditing - trusted mode

Hi,

Please do read the /etc/rc.config.d.auditing file comments at the beggining - this explains you the meaning of each parameter. Thus AUDITING=1 is required to enable auditing when system starts. Also its been mentioned that if you have enabled auditing through SAM, then this flag may still be showing 0 (AUDITING=0) . Thus also check through SAM -> Auditing and Security -> Any of Auditing events, users or system calls option and you will see on the top Auditing Turned : OFF or a ON depending on the status.
You can enable from Actions - TURN AUDITING ON . Also you need to select which events, users and system calls you want to get audited and make sure you have enough space in the selected audit log directory or filesystem.

Regards,
Ninad
0 Kudos
Reply
MohitAnchlia
Frequent Advisor

‎10-02-2006 08:38 AM

‎10-02-2006 08:38 AM

Re: Configuring Auditing - trusted mode

Even after enabling auditing, also leaving the auditing to default events - which is by large most of it - couldn't get the events logged in audit file for other users. It's just logging for root. If I try to get for other user than root I get:

/usr/sbin/audisp -u abcUser /.secure/etc/audfile2
users and aids:
abcUser
83
All events are selected.
All ttys are selected.
Selecting successful & failed events.
TIME PID E EVENT PPID AID RUID RGID EUID EGID TTY

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I login as root and su to abcUser, how would audit log file audit such type of activity.
0 Kudos
Reply
IT_2007
Honored Contributor

‎10-02-2006 08:50 AM

‎10-02-2006 08:50 AM

Re: Configuring Auditing - trusted mode

Here is what I am using and able to collect audit information for all users.

From /etc/rc.config.d/auditing file:

AUDITING=1
PRI_AUDFILE=/.secure/etc/audfile1
PRI_SWITCH=1000000
SEC_AUDFILE=/.secure/etc/audfile2
SEC_SWITCH=4096000
AUDEVENT_ARGS1=" -P -F -e moddac -e modaccess -e login -e admin"
AUDEVENT_ARGS2=" -P -F -e delete -e readdac"
AUDEVENT_ARGS3=""
AUDEVENT_ARGS4=""
AUDOMON_ARGS=" -p 10 -t 1 -w 90"

I setup two mount points and had soft links pointed to audfile1 and 2.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.