Operating System - HP-UX
1830156 Members
8035 Online
109999 Solutions
New Discussion

Re: Trusted system auditing questions and problems

 
SOLVED
Go to solution
Theresa Patrie
Regular Advisor

Trusted system auditing questions and problems

Hi,
We just converted a HP-UX 10.20 system to a trusted system. I am running into quite a few problems when trying to gather information from my audit file.
1. When running audisp on my audit file, I get the error "bad audit record body". It displays results up until Jan 12, and then quits. I assume something happend to my audit file on Jan 12 and now it is corrupt? Anybody experience this?
2. I have the user accounts set up such that after 5 invalid logins, the account is locked. I found that I can reactivate it in sam, but I cannot find any file where the locking of the account is logged? Is there a file where all account locking is logged? It does not show up in syslog.log.
3. I am auditing all "open()" failures and my audit file is filling up with these events. What I really want to see is when an unauthorized user attempts to open a system file or somebody else's file. What I am seeing is hundreds of open() failures for files that aren't there. Some examples are /usr/lib/nlsloc/locales.1/C and /usr/sbin/stm/uut/lib/tllogtool.0. These file do not exist on my trusted system, nor do they exist on any of my other 10.20 systems. How can I find out what is looking for these files and why they are not there?

I know that this is a lot for one message and I appreciate any input you may have.
Thanks,
Theresa
This is my easy job!
4 REPLIES 4
Christopher Caldwell
Honored Contributor

Re: Trusted system auditing questions and problems

---------------------------------------------
2. I have the user accounts set up such that after 5 invalid logins, the account is locked. I found that I can reactivate it in sam, but I cannot find any file where the locking of the account is logged? Is there a file where all account locking is logged? It does not show up in syslog.log.
---------------------------------------------

This information is kept in the tcb (trusted computing base) located in /tcb.

To get to it, I wrote a little C program based on getprpwent (man getprpwent).

Using that procedure, you can get to a structure member called fd_lock which should tell you if the account is locked or not. There's a bunch of other useful information there as well.
Theresa Patrie
Regular Advisor

Re: Trusted system auditing questions and problems

Thanks Christopher. Since I am not the greatest C programmer, any chance of getting a copy of your script?? It would save me a lot of "re-learning curve" time, especially if it can be adapted to work for other audited parameters.
Thanks,
Theresa
This is my easy job!
Scott Van Kalken
Esteemed Contributor
Solution

Re: Trusted system auditing questions and problems

you can also use modprpw and getprpw

#!/bin/sh

SCRIPT=${0##*/}
TODAY=$(date)
TMPFILE=/tmp/$SCRIPT.tmp
LOGFILE=$SCRIPT.log

get_users()
{
cat /etc/passwd | cut -d: -f1 > $TMPFILE
}

check_last_login()
{
while read user ; do
LOCKED=`/usr/lbin/getprpw -m lockout $user | sed 's/lockout=//'`
if [ $LOCKED -ne 0 ] ;
then
DISABLED="LOCKED OUT"
else
DISABLED=""
fi
LASTLOGIN=`/usr/lbin/getprpw -m slogint $user | sed 's/slogint=/'$user' /'`
echo "\n$LASTLOGIN\t$DISABLED"
done
}

get_users
echo "USERNAME LAST LOGIN TIME"
check_last_login < $TMPFILE


That's a very crude script I knocked up in about 10 minutes as part of an audit exercise we just completed.

I'm in the process of making it a bit more useful at the moment, but it's a good start.


http://docs.hp.com/hpux/onlinedocs/B2355-90691/B2355-90691.html

http://docs.hp.com/hpux/onlinedocs/B2355-90691/B2355-90691.html

Those should be the man pages (11i) for them. They haven't changed much over the years apparently, but they are no longer part of the man tree.

Hope this helps.

Scott.
Theresa Patrie
Regular Advisor

Re: Trusted system auditing questions and problems

Thanks for the script Scott! I will try that on my system and add to it for my needs. Not bad for 10 minutes work!
Theresa
This is my easy job!