03-10-2005
Hpux C2 Auditing
I am trying to find out if there are any recommendations regarding what events/system calls should be audited as a starting point. I am new to the auditing side of things and am not really to sure what best to log - any ideas or know of any resources which make recommendations in this respect ???
10 More Discussions You Might Find Interesting
1. Shell Programming and Scripting
I am running HPUX and using WLM (workload manager). I want to write a script to fork CPUs to basically take CPUs from other servers to show that the communication is working and CPU licensing is working. Basically, I want to build a script that will use up CPU on a server. Any ideas? (2 Replies)
Discussion started by: cpolikowsky
2 Replies
2. UNIX for Advanced & Expert Users
:)I need a little help. I have sent all of our logs to our log server, but I can't send the audit logs that are in /var/log/audit.log. Can someone give me some type of idea to transfer these logs.
Thank You (2 Replies)
Discussion started by: aojmoj
2 Replies
3. Cybersecurity
Hi dear friends
I have an RHEL5 installed and I gave all users on it rbash shell, Now I want to audit all commands that they did in there shell once they enter them, Can any guide me to the way
Thanks (2 Replies)
Discussion started by: reaky
2 Replies
4. HP-UX
I'm sharing this in case anybody needs it. Modified from the original solaris pwage script. This modified hpux script will check /etc/password file on hpux trusted systems search /tcb and grep the required u_succhg field. Calculate days to expiry and notify users via email.
original solaris... (2 Replies)
Discussion started by: sparcguy
2 Replies
5. Shell Programming and Scripting
I need a command line that will ls -l a directory and pick (grep?) all files that don't match a desired owner without losing track of the filename at any point. This way I can list later on "here are all the files with an incorrect owner". Thanks in advance (4 Replies)
Discussion started by: stevensw
4 Replies
6. AIX
Hi All,
i've a problem on a AIX server with audit config...
when i start the audit i receive this error:
root@****:/etc/security/audit > /usr/sbin/audit start
Audit start cleanup: The system call does not exist on this system.
** failed setting kernel audit objects
I don't understand... (0 Replies)
Discussion started by: Zio Bill
0 Replies
7. Solaris
Hi ,
I don't want logs from a particular "library" to get recorded in the audit.log file. Is that possible with BSM? Please guide.
Thanks. (2 Replies)
Discussion started by: chinchao
2 Replies
8. AIX
can some give some tips, most common security issues or and kind of advice about auditing aix system?
regards (2 Replies)
Discussion started by: bongo
2 Replies
9. UNIX for Advanced & Expert Users
I have implemented solaris login authenticating against an active directory server, using solaris x86 on a Dell R810 8xXeon CPUs and 262Gb RAM.
The actual OS is:
# uname -a
SunOS ms-svr012 5.10 Generic_142910-17 i86pc i386 i86pc
# cat /etc/release
Oracle Solaris 10 9/10... (2 Replies)
Discussion started by: jabberwocky
2 Replies
10. Infrastructure Monitoring
Hi Folks,
I have Nagios 3.0.6 which is monitoring 400+ servers in my environment and is administered by multiple administrators. I want to get notified if somebody enable or disable any notification of any of the hosts/services from GUI. Is it possible to configure?
If so, how? (0 Replies)
Discussion started by: SiddhV
0 Replies
LEARN ABOUT FREEBSD
audit_user
AUDIT_USER(5) BSD File Formats Manual AUDIT_USER(5)
NAME
audit_user -- events to be audited for given users
DESCRIPTION
The audit_user file specifies which audit event classes are to be audited for the given users. If specified, these flags are combined with
the system-wide audit flags in the audit_control(5) file to determine which classes of events to audit for that user. These settings take
effect when the user logs in.
Each line maps a user name to a list of classes that should be audited and a list of classes that should not be audited. Entries are of the
form:
username:alwaysaudit:neveraudit
In the format above, alwaysaudit is a set of event classes that are always audited, and neveraudit is a set of event classes that should not
be audited. These sets can indicate the inclusion or exclusion of multiple classes, and whether to audit successful or failed events. See
audit_control(5) for more information about audit flags.
Example entries in this file are:
root:lo,ad:no
jdoe:-fc,ad:+fw
These settings would cause login/logout and administrative events that are performed on behalf of user ``root'' to be audited. No failure
events are audited. For the user ``jdoe'', failed file creation events are audited, administrative events are audited, and successful file
write events are never audited.
IMPLEMENTATION NOTES
Per-user and global audit preselection configuration are evaluated at time of login, so users must log out and back in again for audit
changes relating to preselection to take effect.
Audit record preselection occurs with respect to the audit identifier associated with a process, rather than with respect to the UNIX user or
group ID. The audit identifier is set as part of the user credential context as part of login, and typically does not change as a result of
running setuid or setgid applications, such as su(1). This has the advantage that events that occur after running su(1) can be audited to
the original authenticated user, as required by CAPP, but may be surprising if not expected.
FILES
/etc/security/audit_user
SEE ALSO
login(1), su(1), audit(4), audit_class(5), audit_control(5), audit_event(5)
HISTORY
The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in
2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution.
AUTHORS
This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. Addi-
tional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems.
BSD
January 4, 2008 BSD