HPE Community
Operating System - HP-UX
1855883 Members
6076 Online
104107 Solutions
New Discussion

Re: Recommendations wanted for audit trail/syslog analysis and reporting systems

 
James A. Donovan
Honored Contributor

‎03-24-2006 06:17 AM

‎03-24-2006 06:17 AM

Recommendations wanted for audit trail/syslog analysis and reporting systems

Problem: SOX 404 (as well as PCI-DSS) requires that effective monitoring of DBA and system administrator activity be in place, and that it be reviewed by management.

Currently, I centralize the syslog files for my HP-UX systems and use Psionic's logcheck, detect problems. That is good enough for me and mine, but it doesn't satisfy the auditors requirements, as it is essentially a system where I am monitoring myself.

We have a wide variety of systems (Unix, Linux, NT/W2K, Oracle, and assorted network equipment) that all generate logs. What we don't have is a lot of personnel or spare time. We'd like to put in place a system that centralizes the data collection, analyses said data and can spit out reports for management, the auditors, and the admins.

I've run across a couple of complete systems that seem promising, but I'd like to hear from the community as to what they use and/or recommend.

thanks in advance...

Remember, wherever you go, there you are...
0 Kudos
Reply
3 REPLIES 3
A. Clay Stephenson
Acclaimed Contributor

‎03-24-2006 06:37 AM

‎03-24-2006 06:37 AM

Re: Recommendations wanted for audit trail/syslog analysis and reporting systems

My choice would be (and is) Openview Operations. That name may be obsolescent now since I haven't checked today although OV/O was current as of yesterday. HP's Marketing guys have changed the name of this beast at least 4 times but OV/O is an extremely useful and powerful tool. It gathers data from all over your network and is highly customizable. The idea is that current events (security, resource, network, ...) are all displayed on a monitor. You can then "acknowledge" these current event which has the effect of placing them in a history log. The history logs are populated by this acknowledgment
so that the existence of an event in a history log is prima facie evidence that the event was reviewed by an administrator. This relieves you of the stupid task of having to sign log sheets or some such. It also maintains a database that might span years of events -- this really impresses the SOX auditors. OV/O is really a tool for any highly available system and the fact that it greatly simplifies your SOX requirements is simply gravy.

I warn you that the learning curve is far from trivial and you will spend a great deal of time writing templates but the investment more than pays for itself. For example, imagine knowing that you are running low on disk space and having the LVOL and filesystem automatically expand --- while you are asleep.
If it ain't broke, I can fix that.
0 Kudos
Reply
Pierre Pasturel
Respected Contributor

‎04-06-2006 08:10 AM

‎04-06-2006 08:10 AM

Re: Recommendations wanted for audit trail/syslog analysis and reporting systems

Hi James -
What level of monitoring and type of audit trails are your auditors requiring on HPUX and other platforms for SOX? for PCI?

In terms of monitoring capabilities, you might want to take a look at our free downloadable product, HPUX Host IDS (see http://www.hp.com/products1/unix/operating/hostids.html) whose features include real-time file monitoring (based on system call audit records produced by the HPUX audit kernel subsystem) and the monitoring of wtmp[s]/btmp[s] and sulog for both successful and unsuccessful logins/su's. There are other HIDS detection capabilities that may or may not appease your auditors. HIDS delivers some configurable detection capabilities to monitor for the exploitation of certain HPUX/Unix vulerabilities, while HPUX Audit generates (potentially large) audit trails that preserve very low level activity on the system (i.e., at the system call level) for later analysis such as performing forensics after a breach to assess the damage and/or vulnerability exploited. So, HIDS may or may not appease your auditors, depending on what they mean by "audit trail" or "monitoring."

HPUX HIDS allows you to easily forward its alerts to any management product like OVO that centralizes data collection and generates reports in a multi-platform environment. We supply an OVO/SPI that forwards HIDS alerts to OVO so that they can be correlated and reported from the OV console. You can also forward alerts to syslog(). We have a product testimonial that is accessible from the URL above where the customer is using HIDS as part of their SOX compliance solution by having HIDS monitor any activity, including administration activity, for unauthorized modifications.

Pierre
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎04-06-2006 08:47 AM

‎04-06-2006 08:47 AM

Re: Recommendations wanted for audit trail/syslog analysis and reporting systems

Shalom James,

I recommend a third party tool as noted above.

This is a business reasoning post.

If you go for a third party product, someone else is to blame if requirements are not met.

The whole situation is US congressional smoke and mirrors. If this monstrosity of a law is applied stricly nobody can pass.

It reaches out to us in Israel due to my job's Corporate ownership being News Corp (US).

An open source solution:
http://www.openpro.com/sox.html

http://www.handysoft.com/solutions/enterprise/compliance/

We're using one of the solutions already posted though I'm not sure the price is negotiated. Thus far due to the location of the data center I work for, the impact has been minimal.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.