HPE Community
Operating System - HP-UX
1826075 Members
3497 Online
109690 Solutions
New Discussion

user auditing

 
Chetan Javagal
New Member

‎12-28-2006 06:16 AM

‎12-28-2006 06:16 AM

user auditing

When I create new users on a trusted system, I see that the users have their auditing enabled i.e. the u_auditflag value is set to 1 in their /tcb/files/auth/u/user file. I am trying to figure out how to "by default" disable the auditing flag for any newly created users.

I see that /tcb/files/auth/system/default file uses the u_auditflag value of -1. Even by setting the u_auditflag to 0 in the default file results in enabling auditing for new users. Does anybody know as to which setting or file controls the default auditing (enabled/disabled) for newly created users ?
0 Kudos
Reply
2 REPLIES 2
Peter Godron
Honored Contributor

‎12-28-2006 06:58 PM

‎12-28-2006 06:58 PM

Re: user auditing

Hi,
and welcome to the forums.

From "man 4 prpwd":
"Fields defined in a file are user specific values. These values override the system default values. Trusted programs check first for the existence of user specific parameters before using a system default value."

So even setting the default file will not help, as the individuals profile will override. Have you tried setting the system default, but omitting the users auditflag?

You can also manipulate the auditing with audusr (See "man 1m audusr").

Please also read:
http://forums1.itrc.hp.com/service/forums/helptips.do?#33 on how to reward any useful answers given to your questions.
0 Kudos
Reply
Chetan Javagal
New Member

‎12-30-2006 09:19 AM

‎12-30-2006 09:19 AM

Re: user auditing

yes, you are right that the user's setting overrides the default setting.

Below is the default file:
# cat /tcb/files/auth/system/default
default:\
:d_name=default:\
:d_boot_authenticate@:\
:u_pwd=*:\
:u_owner=root:\
:u_auditflag#0:\
:u_minchg#0:u_maxlen#8:u_exp#0:u_life#0:\
:u_pw_expire_warning#0:u_pswduser=root:u_pickpw:u_genpwd:\
:u_restrict@:u_nullpw@:u_genchars@:u_genletters:\
:u_suclog#0:u_unsuclog#0:u_maxtries#3:u_lock:\
:\
:t_logdelay#2:t_maxtries#10:t_login_timeout#0:\
:chkent:
#

In the default file, you see that u_auditflag is set to 0, i.e. auditing is disabled.

When I create a new user now, the useradd command enables the auditing for the new user.
# useradd newuser
# audusr | grep newuser
User newuser: audit Yes
#

This is the contents of the /tcb/files/auth/n/newuser, you will see that u_auditflag is set to 1 i.e. enabled:

# cat /tcb/files/auth/n/newuser
newuser:u_name=newuser:u_id#125:\
:u_pwd=*:\
:u_auditid#88:\
:u_auditflag#1:\
:u_suclog#1167506140:u_lock@:chkent:
#

The value of u_auditflag=0 from the default file would have taken effect :
- If the useradd command had not added u_auditflag entry in /tcb/files/auth/n/newuser file OR
- If u_auditflag entry was set to 0 in the /tcb/files/auth/n/newuser file

On the trusted system where I am testing, auditing is enabled for any newly created user when using the useradd command or using SAM. I wanted to know if this behavior can be modified or configured in any way.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.