Use the following procedures to plan, enable, and
monitor auditing on your system.
Planning the Auditing Implementation
To plan the auditing implementation, follow these
Determine which users to
audit. By default, all users are selected for auditing.
Determine which events or
system calls to audit. Use the audevent command
to display a list of events and system calls that are currently selected
Events and system calls can
be grouped into profiles.
Decide where you want to
place the audit log files (audit trails) on the system. For more information
on configuring the audit log files, see Section .
Create a strategy to archive
and back up audit files. Audit files often take up a lot of disk space
and can overflow if you do not carefully plan file management. Use
the -X option with the audomon command to automate archiving.
For additional information about auditing system
performance and administration that can help you plan the auditing
implementation, see Section and Section .
To enable auditing on the system, follow these
Configure the users you
want to audit using the userdbset command. For
more information on configuring auditing for users, see Section .
Configure the events you
want to audit using the audevent command. For example,
to audit according to MySitePolicy, enter the following command:
#audevent -P -F -r MySitePolicy
MySitePolicy must be defined in the /etc/audit/audit_site.conf file.
Use the audevent command with no options to display a list of events and system calls
that are currently configured for auditing.
For more information on configuring auditing for
events, see Section .
Set the audevent argument parameters in the /etc/rc.config.d/auditing file to enable the auditing system to retain the current configuration
parameters when the system is rebooted. For example to retain the
parameters configured in step 2, set the parameters as follows:
AUDEVENT_ARGS1 = –P
–F –r MySitePolicy
Start the auditing system
and define the audit trail(s) using the audsys command:
#audsys -n -c primary_audit_file -s 1000
Set up the log files and
log file switch parameters in the /etc/rc.config.d/auditing file. Follow these steps:
Set PRI_AUDFILE to the name of the primary audit log file.
Set PRI_SWITCH to the maximum size of the primary audit log file (in KB), at which
audit logging switches to the auxiliary log file.
Set SEC_AUDFILE to the name of the auxiliary log file.
Set SEC_SWITCH to the maximum size of the secondary audit log file (in KB).
For more information about setting up primary and
auxiliary audit log files, see Section .
Start the audomon daemon if it has not yet been started. The audomon daemon monitors the growth of the current audit trail and switches
to an alternative audit trail whenever necessary. For example:
Set the audit log file monitor
arguments in the /etc/rc.config.d/auditing file.
Set the same values used in step 2.
(Optional) Stop system auditing
using the following command:
(Optional) Set the AUDIT flag to 0 in the /etc/rc.config.d/auditing file to keep the auditing system from starting at the next system
Auditing increases system overhead. When performance
is a concern, be selective about what events and users are audited.
This can help reduce the impact of auditing on performance.
Guidelines for Administering the Auditing System
Use the following guidelines when administering
Check the audit logs according
to the security policy. An online audit file should be retained for
at least 24 hours and all audit records stored offline should be retained
for a minimum of 30 days.
Review the audit log for
unusual activities, such as: late hours login, login failures, failed
access to system files, and failed attempts to perform security-relevant
Prevent the overflow of
the audit file by archiving daily.
Revise current selectable
events periodically, especially after installing new releases of HP-UX,
since new system calls are often introduced in new releases.
Revise audited users periodically.
Do not follow any pattern
or schedule for event or user selection.
Set site guidelines. Involve
users and management in determining these guidelines.
If the audit data volume
is expected to be high, configure audit trails on a logical volume
consisting of multiple physical disks and multiple physical I/O cards.
Use the -N option with audsys command to split
the audit trail into multiple files.