HPE Community
Operating System - HP-UX
1833913 Members
2323 Online
110063 Solutions
New Discussion

Re: trusted system auditlogs

 
Ng Kim Meng
Occasional Contributor

‎03-14-2005 07:35 PM

‎03-14-2005 07:35 PM

trusted system auditlogs

Hi,

after converting to trusted system and turning on auditing, the audit logs have been capturing whatever has been defined to be audited accordingly.

By default, the audit log has permission as shown below, with read/write permssion soley to root owner.

-rw------- 1 root sys 1101171 Mar 15 16:23 audfile1

However, now my external auditor is insisting that root owner must not have write access to the audit logs

But I don't see how that is possible !

I like to find out if that is a reasonable demand by my external auditor ?

And if it's reasonable, how can I achieve that ? Through a 3rd party s/w ???

Really appreciate any feedback and advise.





0 Kudos
Reply
3 REPLIES 3
Joseph Loo
Honored Contributor

‎03-14-2005 07:45 PM

‎03-14-2005 07:45 PM

Re: trusted system auditlogs

hi,

i see, those auditors again.

i presume they would think u r going to make changes to that file. but audfile1 is not a ascii type but a data file. u may like to show or prove to them by doing the file command, i.e.:

# file audfile1

unless after running audisp command to display and output the content of that file, u amend the generated output.

regards.
what you do not see does not mean you should not believe
0 Kudos
Reply
Ng Kim Meng
Occasional Contributor

‎03-14-2005 08:02 PM

‎03-14-2005 08:02 PM

Re: trusted system auditlogs

Hi Joseph,

thank for your feedback.

I already explained to the auditor on this and even did a cat on the auditlog to show them its garbage and cannot simply vi to change it.

But he insisted that as long as the auditlog is writable, a technically competant person with root access can perhaps used other tools to modify the content and write it back. Or even if cannot, can simply delete the entire auditlog for cover up.


0 Kudos
Reply
Keith Buck
Respected Contributor

‎03-16-2005 03:28 AM

‎03-16-2005 03:28 AM

Re: trusted system auditlogs

The only ways I can think of to deal with this are to

A. copy the audit logs off-host (which I would recommend) or

B. get a B-level certified operating system (which can be a pain to administer).

Trusted HP-UX is approximately C2 level (was certified back in the 10.x days I think) which means that root is still all-powerful.

chmod -w audfile1

will not change the fact that root has write access to the file, because root can easily

chmod +w audfile1

for example. If you made the file owned by someone other than root so root can't chmod it, root can still chown the file back to himself. You can see this is starting to get a bit silly...

Option A actually accomplishes something as long as root on the local host doesn't also have access to the remote host. Note that root on the remote host can still muck with the logs. Some ways to deal with that are to cryptographically sign the logs or print them on paper or other write-only media.

Hope that helps.

-Keith
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.