An event is an action with security implications,
such as creating a file, opening a file, or logging in to the system.
You can audit events on an HP-UX system to enhance security by detecting
possible breaches. However, the more events you choose to audit, the
more system resources are used and the greater the impact on system
performance. The security architect must determine which events to
audit based on business needs and any applicable government regulations.
The audevent command is used
to specify system activities (auditable events) that are to be audited.
Auditable events are classified into event categories and profiles
for easier configuration. Once an event category or a profile is
selected, all system calls and self-auditing events associated with
the event category or profile are selected. When the auditing system
is installed, a default set of event classification information is
provided in the /etc/audit/audit.conf file. Additional,
site-specific classifications and profiles may also be defined in
the /etc/audit/audit_site.conf file.
HP recommends that you audit the following events
at a minimum:
moddac self-auditing event
These events are predefined as the basic profile in the /etc/audit/audit.conf file.
Configure the events you want to audit before you
turn on the auditing system. The syntax for the audevent command is as follows:
The following options are commonly used with the audevent command:
Table 10-4 audevent Command Options
|-e event||Specifies an event to log|
|-F||Logs unsuccessful event
Displays a complete list of event
types and associated system calls
successful event operations
Specifies the profile of events to log.
Profiles are defined in the /etc/audit/audit.conf file.
|-S or -s system_call|
Change event or system call audit status
display the current status of the selected events or system
To configure admin, login, and modaccess for auditing,
enter the following command:
# audevent -P -F -e admin -e login -e moddac
To configure the events in the basic profile for
auditing, use the following command:
# audevent -P -F -r basic
Both Audit Success and Audit Failure are set as event
types for monitoring successful and failed events or system calls.
This is the minimum event type selection recommended for running a
Generally, a record is written only if both the
event is selected for auditing, and the user initiating the event
has been selected for auditing. However, it is expected that some
records may still be generated at the time user starts a session and
ends a session, even if the user is not selected for auditing. Those
records are considered system-wide information that are based on event
selection instead of user selection. Programs that do self-auditing
may make arbitrary decision to ignore the user selection, but this
is not recommended for self-auditing.