|
|
Sponsored Content
Operating Systems
Solaris
Configuring Auditing
Post 302993315 by MadeInGermany on Wednesday 8th of March 2017 02:38:04 PM
03-08-2017
|
|
10 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
I was just going thru the auditing script ..
2 questions pop in mind .. Why did they move S81volmgmt .. What is the logic behind not loading it ..
2) Why the purpose of the device allocate entries (2 Replies)
Discussion started by: DPAI
2 Replies
2. Solaris
Hi, I was wondering if anyone has had the problem I'm having or knows how to fix it. I need to audit one of our servers at work. I turned on BSM auditing and modified the audit_control file to only flag the "lo" class(login/outs) then I rebooted. I viewed the log BSM created and it shows a whole... (0 Replies)
Discussion started by: BlueKalel
0 Replies
3. AIX
i want to audit user commands ..
keep track of what commands each user has been giving ..
can this be done by writing a script in engraving it in .profile of the user.
or is there any other way of doing this ...
rgds
raj (2 Replies)
Discussion started by: rajesh_149
2 Replies
4. UNIX for Dummies Questions & Answers
Hello everbody:
I have a file on the system, I need to check who was the last user who accessed or modified it, and if i can get any further details i can get like IP or access time,etc.
do you have any idea about simple concept or way i can do that in unix tru64 or solaris 9?
thanks in advance... (2 Replies)
Discussion started by: aladdin
2 Replies
5. UNIX for Advanced & Expert Users
I need to log or 'audit' any access to a shared directory which is stored on a NetApp appliance. I need to be able to 'prove' who has acessed the data in this directory at any time. I am just not sure how to do this. The systems that will be accessing this are Linux systems.
Any help is... (2 Replies)
Discussion started by: frankkahle
2 Replies
6. UNIX for Advanced & Expert Users
:)I need a little help. I have sent all of our logs to our log server, but I can't send the audit logs that are in /var/log/audit.log. Can someone give me some type of idea to transfer these logs.
Thank You (2 Replies)
Discussion started by: aojmoj
2 Replies
7. AIX
I have a question relating with AIX auditing Question is can we set Auditing on a particular file in AIX for a particular application only?
Let say I have a file name "info.jar" and I have three application named APP1, APP2 & APP3 which are accessing that file so I want to know that which... (0 Replies)
Discussion started by: m_raheelahmed
0 Replies
8. AIX
can some give some tips, most common security issues or and kind of advice about auditing aix system?
regards (2 Replies)
Discussion started by: bongo
2 Replies
9. UNIX for Advanced & Expert Users
I have implemented solaris login authenticating against an active directory server, using solaris x86 on a Dell R810 8xXeon CPUs and 262Gb RAM.
The actual OS is:
# uname -a
SunOS ms-svr012 5.10 Generic_142910-17 i86pc i386 i86pc
# cat /etc/release
Oracle Solaris 10 9/10... (2 Replies)
Discussion started by: jabberwocky
2 Replies
10. AIX
In our customer place somebody removed and PV from the server. I want the information like which user removed this PV.
Is there any way to get PV removal information.
When did the PV removed from the server ?
Whether AIX auding will help ?
Where i can get these information ?
Thank... (2 Replies)
Discussion started by: sunnybee
2 Replies
LEARN ABOUT HPUX
audit
audit(5) File Formats Manual audit(5) NAME
audit - introduction to HP-UX Auditing System DESCRIPTION
The purpose of the auditing system is to record instances of access by subjects to objects and to allow detection of any (repeated) attempts to bypass the protection mechanism and any misuses of privileges, thus acting as a deterrent against system abuses and exposing potential security weaknesses in the system. User and Event Selection The auditing system provides administrators with a mechanism to select users and activities to be audited. On a system that has been converted to trusted mode, users are assigned unique identifiers called by the administrator, which remain unchanged throughout a user's history. See about trusted mode. The command is used to specify those users who are to be audited. On a system that has not been converted to trusted mode, each login session is assigned a unique identifier called The is a string repre- senting information such as user name and login time. It can uniquely identify each login session and the person responsible for the ses- sion. See also setauduser(3) and getauduser(3). The command is used to specify those users who are to be audited. See userdbset(1M) and userdb(4). The associated attribute is called and is described in security(4). The command is used to specify system activities (auditable events) that are to be audited. Auditable events are classified into event categories and profiles for easier configuration. Once an event category or a profile is selected, all system calls and self-auditing events associated with that event category or profile are selected. When the auditing system is installed, a default set of event classi- fication information is provided in file In order to meet site-specific requirements, administrators may also define event categories and profiles in See audit.conf(4) and audevent(1M) for more information. Note that even if an user is not selected for auditing, it is expected that some records may still be generated at the time user starts a session and ends a session. Those are considered as system-wise information that are more in favor of event selection than the user selec- tion. Other programs that do self-auditing may also make arbitrary decision to ignore the user selection though it is not recommended. More information about self-auditing programs can be found later. Starting and Halting the Auditing System The administrator can use the command to start or halt the auditing system, or to get a brief summary of the status of the audit system. Prior to starting the auditing system, also validates the parameters specified, and ensures that the auditing system is in a safe and con- sistent state. See audsys(1M) for more information. Monitoring the Auditing System To ensure that the auditing system operates normally and to detect abnormal behaviors, a privileged program, runs in the background to mon- itor various auditing system parameters. When these parameters take on abnormal (dangerous) values, or when components of the auditing system are accidentally removed, prints warning messages and tries to resolve the problem if possible. See audomon(1M) for more informa- tion. can be spawned by (as part of the start-up process) when the system is booted up if the parameter AUDITING is set to 1 in file It can also be started any time by a privileged user. Viewing of Audited Data The command is used to view audited data recorded in log files. The command merges the log files into a single audit trail in chronologi- cal sequence. The administrator can select viewing criteria provided by the command to limit the search to particular kinds of events which the administrator is interested in investigating. Audit Trails At any time when the auditing system is enabled, at least an audit trail must be present. The trail name and various attributes for the trail can be specified using When the current trail exceeds the specified size, or when the auditing file system is dangerously full, the system automatically switches to another trail with the same base name but a different timestamp extension and begin recording to it. A script can be specified using to perform various operations on the last audit trail after each successful switch. If trail switch is unsuccessful, warning messages are sent to request appropriate administrator action. Self-auditing Programs To reduce the amount of log data and to provide a higher-level recording of some typical system operations, a collection of privileged pro- grams are given capabilities to perform self-auditing. This means that the programs can suspend the currently specified auditing on them- selves and produce a high-level description of the operations they perform. These self-auditing programs are described in the following manpages: at(1), chfn(1), chsh(1), crontab(1), login(1), newgrp(1), passwd(1), audevent(1M), audisp(1M), audsys(1M), audusr(1M), cron(1M), groupadd(1M), groupdel(1M), groupmod(1M), init(1M), lpsched(1M), sam(1M), useradd(1M), userdel(1M), and usermod(1M). Note: Only privileged programs are allowed to do self-auditing. The audit suspension they perform only affects these programs and does not affect any other processes on the system. Most of these commands generate audit data under a single event category. For example, generates the audit data under the event admin. Other commands may generate data under multiple event categories. For example, the command generates data under the events login and admin. For a list of predefined event categories, see audevent(1M). WARNINGS
HP-UX 11i Version 3 is the last release to support trusted systems functionality. The HP-UX Auditing System continues to work without converting to trusted mode. AUTHOR
The auditing system described above was developed by HP. SEE ALSO
audevent(1M), audisp(1M), audsys(1M), audusr(1M), userdbset(1M), audctl(2), audswitch(2), audwrite(2), getaudid(2), getevent(2), setau- did(2), setevent(2), getauduser(3), setauduser(3), audit(4), security(4), userdb(4), audit_memory_usage(5), audit_track_paths(5), diskau- dit_flush_interval(5). audit(5)