The purpose of auditing is to selectively record
events for analysis and detection of security breaches. The audit
data is recorded in log files. Thus, the auditing system acts as a
deterrent against system abuses and exposes potential security weaknesses.
The auditing system records instances of access
by subjects to objects on the system; it detects any (repeated) attempts
to bypass the protection mechanism and any misuses of privileges;
it also helps in exposing potential security weaknesses in the system.
When a user logs in, a unique audit session ID
called "audit tag" is generated and associated with the user's
process. The audit tag remains the same during each login session.
Even if a user changes identity within a single session, all events
are still recorded with the same audit tag and accountable under the
original login user's name.
Audit records are generated for selective security
related system events. Each audit record contains information about
the event, such as what the event was, when it occurred, the ID of
the user who caused it, the ID of the process that caused it and so
Audit records are collected in audit logs/files
in binary format. HP-UX Auditing system on HP-UX 11i v3 release is
capable of using more than one writer threads to log data into file.
Each writer thread writes to one file. This helps to increase the
throughput of the data. As a result, an audit trail is present on
the file system as a directory with multiple audit files in it.
The records in the audit trail are compressed
to save file space. When a process is audited the first time, a process
identification record (PIR) is written into the audit trail containing
information that remains constant throughout the lifetime of the process.
This includes the process ID, the parent process' ID, audit tag,
real user ID, real group ID, effective user ID, effective group ID,
group ID list, effective, permitted, and retained privileges, compartment
ID, and the terminal ID. The PIR is entered only once per process
per audit trail.
This chapter discusses the following topics: