Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
171172173174175176177178179180
#audsys -f
The audsys -f command lets you stop the system auditing while keeping the
audomon daemon running.
4. (Optional) Set the AUDIT flag to 0 in the /etc/rc.config.d/auditing file to
keep the auditing system from starting at the next system reboot.
9.2.5 Performance Considerations
Auditing increases system overhead. When performance is a concern, be selective about
what events and users are audited. This can help reduce the impact of auditing on
performance.
9.2.6 Guidelines for Administering the Auditing System
Use the following guidelines when administering the system:
Check the audit logs according to the security policy. For example, a security policy
might state that an online audit file should be retained for at least 24 hours and all
audit records stored offline should be retained for a minimum of 30 days.
Review the audit log for unusual activities, such as: late hours login, login failures,
failed access to system files, and failed attempts to perform security-relevant tasks.
Prevent the overflow of the audit file by archiving daily.
Revise current selectable events periodically, especially after installing new releases
of HP-UX, since new system calls are often introduced in new releases.
Revise audited users periodically.
Do not follow any pattern or schedule for event or user selection.
Set site guidelines. Involve users and management in determining these guidelines.
If the audit data volume is expected to be high, configure audit trails on a logical
volume consisting of multiple physical disks and multiple physical I/O cards. Use
the -N option with audsys command to split the audit trail into multiple files.
9.3 Auditing Users
By default, when system auditing is on, all users are audited. New users added to the
system are automatically audited.
You can monitor what users are doing on HP-UX systems by inspecting the audit trail.
To change which users are audited, choose one of the following options:
Audit all users.
Perform the following steps to enable auditing for all users:
1. Set AUDIT_FLAG=1 in the /etc/default/ security file to enable auditing
globally for all users.
2. Run the command userdbget -a | grep AUDIT_FLAG=0 to determine
for which users, if any, auditing is disabled on a per-user basis. Then run the
176 Audit Administration