HPE Community
Operating System - HP-UX
1833589 Members
3836 Online
110061 Solutions
New Discussion

Re: Trusted mode - get started

 
MohitAnchlia
Frequent Advisor

‎09-25-2006 08:34 AM

‎09-25-2006 08:34 AM

Trusted mode - get started

After suggestion by you guys we've decided to convert our HP to trusted mode. We want to be able to log user activities like commands, comannds executed after su to other user etc. ran by users. After reading about audevent I know that I need to configure events to get log of user activity. What I don't know is:
1. What type of events will help us get commands, other activities etc. per user?
2. How to configure them ?
3. Where would I be able to look at the log file?
4. How to calculate Performance overhead on the system?
0 Kudos
Reply
3 REPLIES 3
IT_2007
Honored Contributor

‎09-25-2006 08:38 AM

‎09-25-2006 08:38 AM

Re: Trusted mode - get started

It really depends on the configuration. You can turn on system auditing using sam so that you will get all the information logged into a file.

As for as Performance, you have to be careful, if you turn on full level, performance may be poor.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎09-25-2006 10:31 AM

‎09-25-2006 10:31 AM

Re: Trusted mode - get started

And most important, before you start logging, change the location of the audfiles. By default they are in /, the worst possible location. Specify the location in /var/adm where almost all logfiles are located.

Look at the man pages for:
audit
audevent
audctl
audisp

and also: man 5 audit

SAM will also allow you to configure auditing options. Note that it is very easy to configure a lot of options and the logfiles will be extremely large.

Now based on what you want to see, the audit system will not give you all the items on your list:

> log user activities like commands

That is always recorded in $HOME/.sh_history for each user -- assuming a normal login and normal shell.

> comannds executed after su to other user

Same as above as long as su is *always* su - user (the - is imperative for all su commands)

> calculate Performance overhead

Completely different task -- auditing does not monitor performance because it is impossible to characterize. For performance, you use tools like top, vmstat and sar but these are difficult to use. For meaningful performance details, you need the HP product Glance/plus.


Bill Hassell, sysadmin
0 Kudos
Reply
Robert Fritz
Regular Advisor

‎09-26-2006 04:34 AM

‎09-26-2006 04:34 AM

Re: Trusted mode - get started

Just to add one more thought... you may also consider, as an alternative to Trusted Mode, using the Standard-Mode Security Extensions package available on 11.23. That allows you to keep using the passwd/shadow structure, but still gives you just about all the features available in Trusted Mode (with better compatibility).
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.