HPE Community
Operating System - HP-UX
1826062 Members
4167 Online
109690 Solutions
New Discussion

Re: HP Auditing Cop-out

 
Michael Ernstoff
Frequent Advisor

‎07-10-2001 06:45 AM

‎07-10-2001 06:45 AM

HP Auditing Cop-out

I reported that audit records were not consistently reporting the full pathname of files in HP 11, despite the fact that there was a patch for the same problem in 10.20 and that it is listed as fixed in the HP 11 patch equivalency document.
HP's response was that they will not be producing a patch for HPUX 11.00 as it is not a requirement of the C2 security standards to provide the full path name of the file in question. They have suggested that we install their Praesidium intrusion software, which does provide the required functionality. The 10.20 patch was used as a test for the Praesidium software and was only available for HP workstations.

The C2 requirements state "For events that introduce an object into a user's address space and for object deletion events the audit record shall include the name of the object."
I think that it is extremely debatable to say that the full pathname is not a C2 requirement, as without it the file cannot be identified.

I have a requirement monitor critical files. If /bin/passwd is a critical file, but /etc/passwd is not (from the point of view of monitoring updates) then HP Auditing simply does not work.

Anyone agree / disagree with me?
How can I put pressure on HP to fix this problem?
0 Kudos
Reply
3 REPLIES 3
A. Clay Stephenson
Acclaimed Contributor

‎07-10-2001 07:03 AM

‎07-10-2001 07:03 AM

Re: HP Auditing Cop-out

Hi Micheal,

I can tell you that in general HP does pay attention to Interex's Secial Interest Groups.
If you are not a member of Interex (www.interex.org), you might join and become a Security SIG member.

Regards, Clay
If it ain't broke, I can fix that.
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎07-10-2001 07:12 AM

‎07-10-2001 07:12 AM

Re: HP Auditing Cop-out

Hi Michael:

I agree with you that recording the full path name of the object seems like the only reasonable thing! To do otherwise is ambiguous in my opinion.

Usually, the "works-as-intended" response is obtuse verbiage for "we goofed and we don't have a decent fix without a major effort" [perceived or real].

I also agree with Clay; leverage Interex as a voice.

...JRF...
0 Kudos
Reply
Michael Ernstoff
Frequent Advisor

‎07-11-2001 02:30 AM

‎07-11-2001 02:30 AM

Re: HP Auditing Cop-out

Thanks for your responses.
I am not a member of Interex, but I will look into it.

Any other members out there who can log it for me?

Multiple requests normally carry more weight.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.