HPE Community
Operating System - HP-UX
1833818 Members
2528 Online
110063 Solutions
New Discussion

HP-UX 11.11 Trusted Mode Audit Files

 
MikeCagg
Occasional Visitor

‎12-14-2011 08:18 AM

‎12-14-2011 08:18 AM

HP-UX 11.11 Trusted Mode Audit Files

After converting my C8000 HP-UX 11.11 over to trusted mode and turning on auditing I tested the login auditing feature. When I failed a login by mistyping a user password the audit log displayed that the login failed but it displayed the user as ??????? (question marks). Why doesn't it display the correct user id? How can I fix this so that the user id is displayed? Also how can I audit when a user logs out?

0 Kudos
Reply
4 REPLIES 4
Dennis Handly
Acclaimed Contributor

‎12-14-2011 09:05 PM

‎12-14-2011 09:05 PM

Re: HP-UX 11.11 Trusted Mode Audit Files

You can also see login/logoff info by using last(1).

0 Kudos
Reply
MikeCagg
Occasional Visitor

‎12-15-2011 04:11 AM

‎12-15-2011 04:11 AM

Re: HP-UX 11.11 Trusted Mode Audit Files

Thank you but my IT security dept. requires that the users/actions information is logged to the audit files. Do you know why I'm getting question marks instead of the user id? Is it patch related?

0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎12-15-2011 07:43 AM

‎12-15-2011 07:43 AM

Re: HP-UX 11.11 Trusted Mode Audit Files

My guess is that it might be because of thinking like "As the user was not able to enter the password that matched the claimed username, his/her identity could not be confirmed. Therefore, the log should show that the identity of the user was unknown at that point." The audit log is supposed to be comparable to a legal evidence record: if something is not verifiable, it should not be logged the same way as a certain fact.

 

Another reason for omitting the usernames in this case would be an intent to protect users' passwords from accidental disclosure: I think there's research showing that typing a password in the username prompt is a common mistake.

 

So, if your job is to read audit logs and you see a failing login attempt by username "S3kR1tP@$$" and a successful login by "joeuser" a few seconds afterwards from the same terminal/remote host, you would have a high confidence that Joe User just made a mistake of typing without looking, and that "S3kR1tP@$$" is in fact his password. As a result, you could now log in to the system pretending to be Joe User... and this is clearly unacceptable. Therefore, blanking out unproven usernames in the logs is a good security practice in addition of preserving the quality of the audit log as legal evidence.

 

MK
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎12-15-2011 08:25 AM

‎12-15-2011 08:25 AM

Re: HP-UX 11.11 Trusted Mode Audit Files

>Another reason for omitting the usernames in this case would be an intent to protect users' passwords from accidental disclosure

 

That's why lastb(1) and /var/adm/btmps requires root.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.