NAME [Toc] [Back]
audit - introduction to HP-UX Auditing System
SYNOPSIS [Toc] [Back]
DESCRIPTION [Toc] [Back]
The purpose of the auditing system is to record instances of access by
subjects to objects and to allow detection of any (repeated) attempts
to bypass the protection mechanism and any misuses of privileges, thus
acting as a deterrent against system abuses and exposing potential
security weaknesses in the system.
User and Event Selection [Toc] [Back]
The auditing system provides administrators with a mechanism to select
users and activities to be audited. Users are assigned unique
identifiers called audit ids by the administrator which remain
unchanged throughout a user's history. The audusr(1M) command is used
to specify those users who are to be audited. The audevent(1M)
command is used to specify system activities (auditable events) that
are to be audited. Auditable events are classified into several
categories. An event category consists of a set of operations that
affect a particular aspect of the system. For an event category list,
Self-auditing Programs [Toc] [Back]
To reduce the amount of log data and to provide a higher-level
recording of some typical system operations, a collection of
privileged programs are given capabilities to perform self-auditing.
This means that the programs can suspend the currently specified
auditing on themselves and produce a high-level description of the
operations they perform. These self-auditing programs include: at(1),
chfn(1), chsh(1), crontab(1), login(1), newgrp(1), passwd(1),
audevent(1M), audisp(1M), audsys(1M), audusr(1M), cron(1M),
groupadd(1M), groupdel(1M), groupmod(1M), init(1M), lpsched(1M),
sam(1M), useradd(1M), userdel(1M), and usermod(1M).
Note: Only privileged programs are allowed to do self-auditing.
The audit suspension they perform only affects these programs and
does not affect any other processes on the system.
Most of these commands generate audit data under a single event
category. For example, sam(1M) generates the audit data under the
event admin. Other commands may generate data under multiple event
categories. For example, init(1M) generates data under the events
login and admin.
Viewing of Audited Data [Toc] [Back]
The audisp(1M) command is used to view audited data recorded in log
files. audisp(1M) merges the log files into a single audit trail in
chronological sequence. The administrator can select viewing criteria
Hewlett-Packard Company - 1 - HP-UX 11i Version 2: August 2003
provided by audisp(1M) to limit the search to particular kinds of
events which the administrator is interested in investigating.
Monitoring the Auditing System [Toc] [Back]
To ensure that the auditing system operates normally and that any
abnormal behaviors are detected, a privileged daemon program,
audomon(1M), runs in the background to monitor various auditing system
parameters. When these parameters take on abnormal (dangerous)
values, or when components of the auditing system are accidentally
removed, audomon(1M) prints warning messages and tries to resolve the
problem if possible.
Starting and Halting the Auditing System [Toc] [Back]
The administrator can use the audsys(1M) command to start or halt the
auditing system, or to get a brief summary of the status of the audit
system. Prior to starting the auditing system, audsys(1M) also
validates the parameters specified, and ensures that the auditing
system is in a safe and consistent state.
Audit Log Files [Toc] [Back]
At any time when the auditing system is enabled, at least an audit log
file must be present, and another back-up log file is highly
recommended. Both of these files (along with various attributes for
these files) can be specified using audsys(1M). When the current log
file exceeds a pre-specified size, or when the auditing file system is
dangerously full, the system automatically switches to the back-up
file if possible. If a back-up log file is not available, warning
messages are sent to request appropriate administrator action.
AUTHOR [Toc] [Back]
The auditing system described above was developed by HP.
SEE ALSO [Toc] [Back]
audsys(1M), audusr(1M), audevent(1M), audisp(1M), audctl(2),
audswitch(2), audwrite(2), getaudid(2), getevent(2), setaudid(2),
Hewlett-Packard Company - 2 - HP-UX 11i Version 2: August 2003 [ Back ]