- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- HP-UX 11.11 Trusted Mode Audit Files
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2011 08:18 AM
12-14-2011 08:18 AM
HP-UX 11.11 Trusted Mode Audit Files
After converting my C8000 HP-UX 11.11 over to trusted mode and turning on auditing I tested the login auditing feature. When I failed a login by mistyping a user password the audit log displayed that the login failed but it displayed the user as ??????? (question marks). Why doesn't it display the correct user id? How can I fix this so that the user id is displayed? Also how can I audit when a user logs out?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2011 09:05 PM
12-14-2011 09:05 PM
Re: HP-UX 11.11 Trusted Mode Audit Files
You can also see login/logoff info by using last(1).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-15-2011 04:11 AM
12-15-2011 04:11 AM
Re: HP-UX 11.11 Trusted Mode Audit Files
Thank you but my IT security dept. requires that the users/actions information is logged to the audit files. Do you know why I'm getting question marks instead of the user id? Is it patch related?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-15-2011 07:43 AM
12-15-2011 07:43 AM
Re: HP-UX 11.11 Trusted Mode Audit Files
My guess is that it might be because of thinking like "As the user was not able to enter the password that matched the claimed username, his/her identity could not be confirmed. Therefore, the log should show that the identity of the user was unknown at that point." The audit log is supposed to be comparable to a legal evidence record: if something is not verifiable, it should not be logged the same way as a certain fact.
Another reason for omitting the usernames in this case would be an intent to protect users' passwords from accidental disclosure: I think there's research showing that typing a password in the username prompt is a common mistake.
So, if your job is to read audit logs and you see a failing login attempt by username "S3kR1tP@$$" and a successful login by "joeuser" a few seconds afterwards from the same terminal/remote host, you would have a high confidence that Joe User just made a mistake of typing without looking, and that "S3kR1tP@$$" is in fact his password. As a result, you could now log in to the system pretending to be Joe User... and this is clearly unacceptable. Therefore, blanking out unproven usernames in the logs is a good security practice in addition of preserving the quality of the audit log as legal evidence.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-15-2011 08:25 AM
12-15-2011 08:25 AM
Re: HP-UX 11.11 Trusted Mode Audit Files
>Another reason for omitting the usernames in this case would be an intent to protect users' passwords from accidental disclosure
That's why lastb(1) and /var/adm/btmps requires root.