HPE Community
Operating System - HP-UX
1826398 Members
3497 Online
109692 Solutions
New Discussion

SAM: Security and Auditing

 
A_Monk
New Member

‎05-30-2006 04:27 AM

‎05-30-2006 04:27 AM

SAM: Security and Auditing

I'm very new to HP-UX. Please bear with me!

The Security and Auditing sub-program in SAM offers many events which can be enabled for auditing.

Is there a paper outlining the best practice on what to be enabled in a high, medium and low security environment? Any pointers are appreciated.

Many thanks in advance.
0 Kudos
Reply
3 REPLIES 3
Rick Garland
Honored Contributor

‎05-30-2006 05:27 AM

‎05-30-2006 05:27 AM

Re: SAM: Security and Auditing

Lots of resources available - inside and outside of the ITRC.

Depending on how tight you need to be with security, are you a public or private company, do you have external audits to go through, etc...

The resources cover all aspects. In the ITRC do a search on HPUX Security - check out the Bastille product.

On google do a search for UNIX security. Lots of hits.

There isn't 1 good resource, there are many good resources!
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎05-30-2006 05:55 AM

‎05-30-2006 05:55 AM

Re: SAM: Security and Auditing

Well....first off you need to determine just how much space you can afford to assign to the audfiles. In high security envs you may need well over 8 GBs to hold the data for a reasonable period. Also just what the performance hit will be.
For low 512MB may suffice.
We employ medium level & use 2GB.
Below is a sample auditing config file for medium level - file locations redacted for obvious reasons. This is more to give you an idea of just *what* you should be auditing - mainly who's logging in & when as well as what they're modifying and/or deleting:

#!/sbin/sh
# @(#)B.11.11_LR
# Auditing configuration. See audsys(1m), audevent(1m)
#
# AUDITING: Set to 1 to enable the auditing system. Note: if auditing
# is enabled via SAM, the AUDITING and other configuration
# variables are ignored.
#
# PRI_AUDFILE: Pathname of file where audit records begin to be logged.
# PRI_SWITCH: switch size (maximum size in kbytes for primary audit log file)
# SEC_AUDFILE: file audit system switches to when primary reaches switch size
# SEC_SWITCH: switch size of secondary file (maximum size in kbytes for
# secondary audit log file)
#
# Note: If the system has any mounted volumes, you might want to put the
# primary and secondary audit log files on different volumes to take maximum
# advantage of audit file switching.
#
# Note: For security, the path to the audit files must not be readable or
# writable except by authorized users.
#
# AUDEVENT_ARGS:
# Arguments to the audevent command. See audevent(1m)
# There are three instances of AUDEVENT_ARGS.
#
# AUDEVENT_ARGS1 describes those events that are audited
# for both success and failure.
#
# AUDEVENT_ARGS2 describes those events that are success only.
#
# AUDEVENT_ARGS3 describes those events that are failure only.
#
# A null string for AUDEVENT_ARGSx is assigned to arguments
# that don't apply.
#
# By default, AUDEVENT_ARGS1 is set to:
# "-P -F -e moddac -e login -e admin"
# which causes audevent to deal with:
# 1) changing discretionary access control (DAC),
# 2) logging in, and
# 3) administering the system will be audited.
# While these may be a reasonable defaults on some systems,
# only the security officer/administrator can determine exactly
# what is needed.
#
# AUDOMON_ARGS: Arguments to the audomon daemon. See audomon(1m)
# By default, AUDOMON_ARGS is set to "-p 20 -t 1 -w 90".
# The audomon daemon takes the following arguments:
#
# fss = minimum percentage of free space left on an audit log file's
# file-system before switching to the secondary audit log file
# (which may reside on a separate volume/partition),
# or before taking protective action if no file space is left.
# (default: 20%)
# sp_freq = minimum wakeup interval (in minutes), at which point
# warning messages are generated on the console about
# switch points. Switch points are the maximum log file
# sizes and the percentage minimum free space specified.
# (default: 1 minute)
# warning = percentage of audit file space used or minimum free space
# used after which warning messages are sent to the console.
# (default: 90 - warning messages are sent when the files
# are 90% full or available free space is 90% used)
#
# Format: audomon -p fss -t sp_freq -w warning
#
AUDITING=1
PRI_AUDFILE=/XXXXXX/XXXXXXX/audfile1
PRI_SWITCH=153600
SEC_AUDFILE=/XXXXXX/XXXXXXX/audfile2
SEC_SWITCH=153600
AUDEVENT_ARGS1=" -P -F -e moddac -e login -e admin -e modaccess -e delete -s execv -s execve"
AUDEVENT_ARGS2=" -p -f -s utssys -s mpctl -s semctl -s semop "
AUDEVENT_ARGS3=""
AUDOMON_ARGS=" -p 20 -t 1 -w 99"

For *some* of the above syscalls there are man pages in the OS. For all others you should be able to get good descriptions on docs.hp.com. Some should be self-explanatory.

HTH,
Jeff


PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
A_Monk
New Member

‎05-30-2006 07:00 AM

‎05-30-2006 07:00 AM

Re: SAM: Security and Auditing

Where can I find a document outlining/detailing the events auditable in each sub-programs in SAM's Security and Auditing?

Any pointers are appreciated.

Thanks,

A Monk
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.