HPE Community
Operating System - HP-UX
1833788 Members
2651 Online
110063 Solutions
New Discussion

how to use auditing

 
JIM NIU
Occasional Contributor

‎08-13-2002 01:36 PM

‎08-13-2002 01:36 PM

how to use auditing

We have a consultant working here and we need to give him a root privileged ID, ie, an account that UID=0. We plan on turning on auditing on this ID. My question is that if we have a few other accounts that has the UID=0 which are used by other sysadmins, can auditing still tell me if certain events were triggered by consulant's account? Any thoughts/experience will be appreciated.
0 Kudos
Reply
4 REPLIES 4
James R. Ferguson
Acclaimed Contributor

‎08-13-2002 01:44 PM

‎08-13-2002 01:44 PM

Re: how to use auditing

Hi:

It's the 'uid' that identifies an account. '/etc/passwd' simply maps the uid value to a name. Thus, there would be no way to distinguish your consultant from the "real" root.

To enable auditing (accounting) have a look at the 'acct' man pages. You can also search docs.hp.com with a string "auditing" for more information.

Regards!

...JRF...
0 Kudos
Reply
MANOJ SRIVASTAVA
Honored Contributor

‎08-13-2002 01:50 PM

‎08-13-2002 01:50 PM

Re: how to use auditing

Hi

Changing the UID to 0 or 3 will not help as everything will be run by the root only and u will find it diffcult to audit. The other alternative is to restrict direct loggint to root and then the users can SU to root to run the jobs , this way you can know by /var/adm/sulog as to who had lgged in as the root .

Another way is to ahve a restrive login like have a partial access .


Manoj Srivstava
0 Kudos
Reply
Michael Tully
Honored Contributor

‎08-13-2002 03:09 PM

‎08-13-2002 03:09 PM

Re: how to use auditing

If they are auditors for example, the best way would be to:

Implement 'sudo' with pre-conceived commands that they are allowed to use, with everything copied to a 'typescript' file. See man 'script'

Sit with the consultant and run the commands yourself.

If they are auditors, why can't they give you a script to run which you can review before it is started?

When I've dealt with auditors, they do not under any circumstances get near a keyboard.

If you do not implement something to safeguard yourself, you don't what if any changes have been made.
Anyone for a Mutiny ?
0 Kudos
Reply
doug hosking
Esteemed Contributor

‎08-13-2002 11:29 PM

‎08-13-2002 11:29 PM

Re: how to use auditing

The responses here show some common confusion
about the difference between accounting (acct)
and auditing (audsys, audisp, etc.).

If you really plan to use the auditing features
available within trusted mode, you should
be able to distinguish between the uid 0
accounts. This is because each login
session gets an audit ID in addition to
a UID. (See the man pages for getaudid,
setaudid, and audusr.)

Unless your system is badly misocnfigured, the audit ID is unique for each user on the system.
The audit records displayed by audisp should
let you trace the actions of this user.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.