HPE Community
Operating System - HP-UX
1834456 Members
3077 Online
110067 Solutions
New Discussion

Re: Enabling audit logs and audit trails

 
Pabitra Jyoti Lahon
Occasional Contributor

‎07-25-2006 05:00 AM

‎07-25-2006 05:00 AM

Enabling audit logs and audit trails

Can you please let me know the procedure to enable the following audit events. Is this done through the SAM tool? The SAM tool, has an option to enable audit events but I am not sure if that would enable all the below mentioned events or more. Also, can you tell me what is required to enable audit trails. Please let me know at the earliest.

a. Successful and unsuccessful login attempts.
b. Successful and unsuccessful attempts to switch to another user's account (where applicable).
c. Logoffs.
d. User attempts to access files or resources outside their privilege level.
e. User access to all privileged files and/or processes.
f. Operating system configuration changes.
g. Operating system program changes.
h. All changes, that can feasibly be captured, to system hardware and software.
i. All security related changes, including adding users.
j. Failures for computer, program, communications, and operations.
k. Starting and stopping of audit logging.
0 Kudos
Reply
3 REPLIES 3
Pete Randall
Outstanding Contributor

‎07-25-2006 05:12 AM

‎07-25-2006 05:12 AM

Re: Enabling audit logs and audit trails

You need to spend some time with the man page for audit and the rest of the "SEE ALSO"s that it mentions.


Pete

Pete
0 Kudos
Reply
Cheryl Griffin
Honored Contributor

‎07-25-2006 05:18 AM

‎07-25-2006 05:18 AM

Re: Enabling audit logs and audit trails

Some of these are already done without auditing. See last, lastb, who.

Some could be configured outside of auditing, for example running a cron job that provides an swlist > /tmp/swlist.`date +'%m%d%H%M' and also a print_mainifest in the same manner. print_manifest is part of Ignite, a free download for the software depot.

For information on auditing see http://docs.hp.com/en/B2355-90950/ch08s09.html
"Downtime is a Crime."
0 Kudos
Reply
Pierre Pasturel
Respected Contributor

‎07-26-2006 08:02 AM

‎07-26-2006 08:02 AM

Re: Enabling audit logs and audit trails

If you have 11iv2 (11.23) systems, you can use Standard Mode Audit.

http://www.docs.hp.com/en/5991-1821/ch06s03.html

List of auditable events:
http://www.docs.hp.com/en/B2355-60105/audevent.1M.html

If a real-time response/notification capability is a requirement, you might also want to take a look at HPUX Host IDS to monitor a), b), c), g) and some of d), e), h), and i). HIDS monitors activity using the audit records produced by the same kernel audit subsystem that produces audit records for Standard Mode Audit.

http://h20338.www2.hp.com/hpux11i/cache/324806-0-0-0-121.html

Pierre

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.