Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions

171

172

173

174

175

176

177

178

179

180

command userdbset -u user AUDIT_FLAG=1 or userdbset -d -u

user AUDIT_FLAG for each of those users.

By default, auditing is enabled for all users when the audit system is turned on. New

users added to the system are automatically audited.

If auditing is turned off for all users, set AUDIT_FLAG=1 in the /etc/default/

security file.

• Do not audit any users.

Perform the following steps to disable auditing for all users:

1. Set AUDIT_FLAG=0 in the /etc/default/ security file to disable auditing

globally for all users.

2. Run the command userdbget -a | grep AUDIT_FLAG=1 to determine

for which users, if any, auditing is enabled on a per-user basis. Then run the

command userdbset -u user AUDIT_FLAG=0 or userdbset -d -u

user AUDIT_FLAG for each of those users.

• Audit specific users.

Perform the following steps to enable auditing for only certain users:

1. Set AUDIT_FLAG=0 in the /etc/default/ security file to disable auditing

globally for all users.

2. Run the command userdbget -a | grep AUDIT_FLAG=1 to determine

for which users, if any, auditing is enabled.

To disable auditing for any of those users listed as being audited, run the

command userdbset -u user AUDIT_FLAG=0 or userdbset -d -u

user AUDIT_FLAG.

To enable auditing for those users with no per-user AUDIT_FLAG attribute set,

run the command userdbset -u user AUDIT_FLAG=1.

If the audit system is not already enabled, use the audsys -n command to start the

auditing system. Auditing changes take effect at the user's next login.

9.4 Auditing Events

An event is an action with security implications, such as creating a file, opening a file,

or logging in to the system. You can audit events on an HP-UX system to enhance security

by detecting possible breaches. However, the more events you choose to audit, the more

system resources are used and the greater the impact on system performance. The security

architect must determine which events to audit based on business needs and any

applicable government regulations.

The audevent command is used to specify system activities (auditable events) that are

to be audited. Auditable events are classified into event categories and profiles for easier

configuration. A profile consists of a set of operations (event categories, self-auditing

9.4 Auditing Events 177