Auditing Your System

Use the following procedures to plan, enable, and monitor auditing on your system.

Planning the Auditing Implementation

To plan the auditing implementation, follow these steps:

Determine which users to audit. By default, all users are selected for auditing.
Determine which events or system calls to audit. Use the audevent command to display a list of events and system calls that are currently selected for auditing.
Events and system calls can be grouped into profiles.
Decide where you want to place the audit log files (audit trails) on the system. For more information on configuring the audit log files, see Section .
Create a strategy to archive and back up audit files. Audit files often take up a lot of disk space and can overflow if you do not carefully plan file management. Use the -X option with the audomon command to automate archiving.

For additional information about auditing system performance and administration that can help you plan the auditing implementation, see Section and Section .

Enabling Auditing

To enable auditing on the system, follow these steps:

Configure the users you want to audit using the userdbset command. For more information on configuring auditing for users, see Section .
Configure the events you want to audit using the audevent command. For example, to audit according to MySitePolicy, enter the following command:
# audevent -P -F -r MySitePolicy
MySitePolicy must be defined in the /etc/audit/audit_site.conf file.
Use the audevent command with no options to display a list of events and system calls that are currently configured for auditing.
For more information on configuring auditing for events, see Section .
Set the audevent argument parameters in the /etc/rc.config.d/auditing file to enable the auditing system to retain the current configuration parameters when the system is rebooted. For example to retain the parameters configured in step 2, set the parameters as follows:
AUDEVENT_ARGS1 = –P –F –r MySitePolicy
Start the auditing system and define the audit trail(s) using the audsys command:
#audsys -n -c primary_audit_file -s 1000
Set up the log files and log file switch parameters in the /etc/rc.config.d/auditing file. Follow these steps:
1. Set PRI_AUDFILE to the name of the primary audit log file.
2. Set PRI_SWITCH to the maximum size of the primary audit log file (in KB), at which audit logging switches to the auxiliary log file.
3. Set SEC_AUDFILE to the name of the auxiliary log file.
4. Set SEC_SWITCH to the maximum size of the secondary audit log file (in KB).
For more information about setting up primary and auxiliary audit log files, see Section .
Start the audomon daemon if it has not yet been started. The audomon daemon monitors the growth of the current audit trail and switches to an alternative audit trail whenever necessary. For example:
#audomon -p 20 -t 1 -w 90 -X "/usr/local/bin/rcp_audit_trail hostname"
For more information about configuring the audomon daemon, see Section
Set the audomon argument parameter in the /etc/rc.config.d/auditing file to retain the current settings across system reboots.
Set the AUDITING flag to 1 in the /etc/rc.config.d/auditing file to enable the auditing system to automatically start when the system is booted.

Disabling Auditing

To disable auditing on the system, follow these steps:

Stop system auditing using the following command:
# audsys -f
Set the AUDITING flag to 0 in the /etc/rc.config.d/auditing file to prevent the auditing system from starting when the system is rebooted.
(Optional) To stop the audomon daemon, enter:
# kill `ps -e | awk '$NFS~ /audomon/ {print $1}'`
Only use this step if you want to reconfigure the audomon daemon. To reconfigure and restart the audomon daemon, follow step 6 and step 7 as described in Section .

Monitoring Audit Files

To view, monitor, and administer the audit files, follow these steps:

View the audit log files with the audisp command:
# audisp audit_file
See “Viewing Audit Logs” for details on using the audisp command.
Set the audit log file monitor arguments in the /etc/rc.config.d/auditing file. Set the same values used in step 2.
(Optional) Stop system auditing using the following command:
#audsys -f
(Optional) Set the AUDIT flag to 0 in the /etc/rc.config.d/auditing file to keep the auditing system from starting at the next system reboot.

Performance Considerations

Auditing increases system overhead. When performance is a concern, be selective about what events and users are audited. This can help reduce the impact of auditing on performance.

Guidelines for Administering the Auditing System

Use the following guidelines when administering the system:

Check the audit logs according to the security policy. An online audit file should be retained for at least 24 hours and all audit records stored offline should be retained for a minimum of 30 days.
Review the audit log for unusual activities, such as: late hours login, login failures, failed access to system files, and failed attempts to perform security-relevant tasks.
Prevent the overflow of the audit file by archiving daily.
Revise current selectable events periodically, especially after installing new releases of HP-UX, since new system calls are often introduced in new releases.
Revise audited users periodically.
Do not follow any pattern or schedule for event or user selection.
Set site guidelines. Involve users and management in determining these guidelines.
If the audit data volume is expected to be high, configure audit trails on a logical volume consisting of multiple physical disks and multiple physical I/O cards. Use the -N option with audsys command to split the audit trail into multiple files.

Auditing Your System

Technical documentation

» Table of Contents

» Glossary