Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions

171

172

173

174

175

176

177

178

179

180

9 Audit Administration

The purpose of auditing is to selectively record events for analysis and detection of

security breaches. The audit data is recorded in log files. Thus, the auditing system acts

as a deterrent against system abuses and exposes potential security weaknesses.

The auditing system records instances of access by subjects to objects on the system; it

detects any (repeated) attempts to bypass the protection mechanism and any misuses of

privileges; it also helps in exposing potential security weaknesses in the system.

When a user logs in, a unique audit session ID called "audit tag" is generated and

associated with the user's process. The audit tag remains the same during each login

session. Even if a user changes identity within a single session, all events are still recorded

with the same audit tag and accountable under the original login user's name.

Audit records are generated for selective security related system events. Each audit record

contains information about the event, such as what the event was, when it occurred, the

ID of the user who caused it, the ID of the process that caused it and so on.

Audit records are collected in audit logs/files in binary format. The HP-UX Auditing system

on the HP-UX 11i v3 release is capable of using more than one writer thread to log data.

Each writer thread writes to one file, allowing an audit trail to be written in parallel by

multiple kernel threads and hence potentially increasing the throughput of the system.

As a result, an audit trail is present on the file system as a directory with multiple audit

files in it.

The records in the audit trail are compressed to save disk space. When a process is

audited the first time, a process identification record (PIR) is written into the audit trail

containing information that remains constant throughout the lifetime of the process. The

PIR includes the process ID, the parent process' ID, audit tag, real user ID, real group

ID, effective user ID, effective group ID, group ID list, effective, permitted, and retained

privileges, compartment ID, and the terminal ID. The PIR is entered only once per process

per audit trail.

This chapter discusses the following topics:

• Auditing components (Section 9.1)

• Auditing your system (Section 9.2)

• Auditing users (Section 9.3)

• Auditing events (Section 9.4)

• Audit trails (Section 9.5)

• Audit filtering tools (Section 9.6)

• Using filter.conf (Section 9.7)

• Audit reporting tools (Section 9.8)

• Viewing audit logs (Section 9.9)

171