Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Part III Protecting Identity

Chapter 10 Audit Administration


Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

The purpose of auditing is to selectively record events for analysis and detection of security breaches. The audit data is recorded in log files. Thus, the auditing system acts as a deterrent against system abuses and exposes potential security weaknesses.

The auditing system records instances of access by subjects to objects on the system; it detects any (repeated) attempts to bypass the protection mechanism and any misuses of privileges; it also helps in exposing potential security weaknesses in the system.

When a user logs in, a unique audit session ID called "audit tag" is generated and associated with the user's process. The audit tag remains the same during each login session. Even if a user changes identity within a single session, all events are still recorded with the same audit tag and accountable under the original login user's name.

Audit records are generated for selective security related system events. Each audit record contains information about the event, such as what the event was, when it occurred, the ID of the user who caused it, the ID of the process that caused it and so on.

Audit records are collected in audit logs/files in binary format. HP-UX Auditing system on HP-UX 11i v3 release is capable of using more than one writer threads to log data into file. Each writer thread writes to one file. This helps to increase the throughput of the data. As a result, an audit trail is present on the file system as a directory with multiple audit files in it.

The records in the audit trail are compressed to save file space. When a process is audited the first time, a process identification record (PIR) is written into the audit trail containing information that remains constant throughout the lifetime of the process. This includes the process ID, the parent process' ID, audit tag, real user ID, real group ID, effective user ID, effective group ID, group ID list, effective, permitted, and retained privileges, compartment ID, and the terminal ID. The PIR is entered only once per process per audit trail.

This chapter discusses the following topics:

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.