- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Trusted system auditing questions and problems
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2002 10:07 AM
01-16-2002 10:07 AM
We just converted a HP-UX 10.20 system to a trusted system. I am running into quite a few problems when trying to gather information from my audit file.
1. When running audisp on my audit file, I get the error "bad audit record body". It displays results up until Jan 12, and then quits. I assume something happend to my audit file on Jan 12 and now it is corrupt? Anybody experience this?
2. I have the user accounts set up such that after 5 invalid logins, the account is locked. I found that I can reactivate it in sam, but I cannot find any file where the locking of the account is logged? Is there a file where all account locking is logged? It does not show up in syslog.log.
3. I am auditing all "open()" failures and my audit file is filling up with these events. What I really want to see is when an unauthorized user attempts to open a system file or somebody else's file. What I am seeing is hundreds of open() failures for files that aren't there. Some examples are /usr/lib/nlsloc/locales.1/C and /usr/sbin/stm/uut/lib/tllogtool.0. These file do not exist on my trusted system, nor do they exist on any of my other 10.20 systems. How can I find out what is looking for these files and why they are not there?
I know that this is a lot for one message and I appreciate any input you may have.
Thanks,
Theresa
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2002 10:50 AM
01-16-2002 10:50 AM
Re: Trusted system auditing questions and problems
2. I have the user accounts set up such that after 5 invalid logins, the account is locked. I found that I can reactivate it in sam, but I cannot find any file where the locking of the account is logged? Is there a file where all account locking is logged? It does not show up in syslog.log.
---------------------------------------------
This information is kept in the tcb (trusted computing base) located in /tcb.
To get to it, I wrote a little C program based on getprpwent (man getprpwent).
Using that procedure, you can get to a structure member called fd_lock which should tell you if the account is locked or not. There's a bunch of other useful information there as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2002 12:00 PM
01-16-2002 12:00 PM
Re: Trusted system auditing questions and problems
Thanks,
Theresa
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2002 01:44 PM
01-16-2002 01:44 PM
Solution#!/bin/sh
SCRIPT=${0##*/}
TODAY=$(date)
TMPFILE=/tmp/$SCRIPT.tmp
LOGFILE=$SCRIPT.log
get_users()
{
cat /etc/passwd | cut -d: -f1 > $TMPFILE
}
check_last_login()
{
while read user ; do
LOCKED=`/usr/lbin/getprpw -m lockout $user | sed 's/lockout=//'`
if [ $LOCKED -ne 0 ] ;
then
DISABLED="LOCKED OUT"
else
DISABLED=""
fi
LASTLOGIN=`/usr/lbin/getprpw -m slogint $user | sed 's/slogint=/'$user' /'`
echo "\n$LASTLOGIN\t$DISABLED"
done
}
get_users
echo "USERNAME LAST LOGIN TIME"
check_last_login < $TMPFILE
That's a very crude script I knocked up in about 10 minutes as part of an audit exercise we just completed.
I'm in the process of making it a bit more useful at the moment, but it's a good start.
http://docs.hp.com/hpux/onlinedocs/B2355-90691/B2355-90691.html
http://docs.hp.com/hpux/onlinedocs/B2355-90691/B2355-90691.html
Those should be the man pages (11i) for them. They haven't changed much over the years apparently, but they are no longer part of the man tree.
Hope this helps.
Scott.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2002 06:33 AM
01-18-2002 06:33 AM
Re: Trusted system auditing questions and problems
Theresa