Re: Logging and Auditing of a HP-UX box

Matti;

You are the best !!!!

Many many thanks!

A Monk


Matti Juhani Kurkela wrote:
"a_monk" <dfox138@xxxxxxxxxxx> writes:

Basically, I am a Windows guy and start learning Unix.

Would members of this group kindly tell me the auditing and logging
features/functions of HP-UX, what kind of logs are they (system,
application, security), methods to enable them, where are they stored
on the system?, etc.

There are two distinct logging systems on HP-UX: the
"Unix-traditional" syslog system and HP-UX specific audit log system.
You can expect the syslog system to be always enabled, but the audit
log system is not generally used unless there is a specific reason to
use it.

The location and content of the logs is administrator-definable, so I
will describe the factory default settings and the possibilities for
configuration.

1.) the syslog system

This is based on a process named "syslogd", which is started early at
system boot. It will create a named pipe /dev/log and an UNIX domain
socket /dev/log.un, which other processes can use to send log messages
to syslog. It can also receive syslog messages from other hosts using
UDP network port 514.

(Most applications have no need to know about these details: there is
a standard library function "syslog()" which encapsulates all the
actions required to send a log message to the local syslogd for
further processing. There is also a "logger" command which can be used
to send a message to the syslog from a normal shell script.)

All syslog messages consist of a level identifier, a facility
identifier and some free-form text.

The level identifier is one of the following, in decreasing order of
importance:
emerg, alert, crit, err, warning, notice, info, debug

The facility identifier is one of the following, in no particular
order:
kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron,
local0, local1, local2, local3, local4, local5, local6, local7

These identifiers can be used to select which messages get stored into
which logfile(s), displayed to the system console or to all users of
the system or sent to another server for non-local storage.

The syslogd process reads a configuration file /etc/syslog.conf, which
lists the log destinations (logfiles or remote syslog servers) and the
allowed level/facility combinations for each destination.

By default, HP-UX has a very limited set of syslog destinations:
there is only /var/adm/syslog/syslog.log for generic messages
(filtered so that only "significant" messages get stored) and a
special logfile /var/adm/syslog/mail.log for messages related to
email handling. In addition, there is a to send emergency
messages to all logged-in users and another that directs kernel
messages to the system console (where the administrator can presumably
read them).

2.) the audit log system

This can be configured using SAM, but there are also a slew of
commands (named aud*) to control the audit log system from the command
line.

The audit log system is disabled by default. When it is enabled, it
can log detailed information of the user's actions (the names of files
read/written, the starting or stopping of processes and the like).
The full list of audit action categories is available by the command
"man 5 audit".

Because this system can easily create a huge amount of logging data if
misconfigured, you can choose which users' actions are audited. If a
server application provides a good level of logging by itself, it may
be useful to create an "application user" for the purpose of running
the application and disable or limit the audit logging for that user.

Usually, application-level logs are more "human-readable" than the
OS-level audit logs, simply because the application is more aware of
the purpose behind each OS-level action. A simple message like "user X
placed a new order of xxxx units of product yyy" is vastly more useful
than a long list of messages describing user X starting a program,
which then read a lot of files and then wrote into a few files.

The file /.secure/etc/audnames lists the names of the audit logfiles,
if the audit log system is enabled. The audit logfiles are in a binary
format: you must use the "audisp" command to view them.

--
Matti.Kurkela@xxxxxxxxx

.

Relevant Pages

  • Re: Logging and Auditing of a HP-UX box
    ... Would members of this group kindly tell me the auditing and logging ... You can expect the syslog system to be always enabled, ... All syslog messages consist of a level identifier, ... commands to control the audit log system from the command ...
    (comp.security.unix)
  • Re: Logging and Auditing of a HP-UX box
    ... Would members of this group kindly tell me the auditing and logging ... You can expect the syslog system to be always enabled, ... All syslog messages consist of a level identifier, ... commands to control the audit log system from the command ...
    (comp.security.unix)
  • RE: [fw-wiz] pix 501 logging question
    ... it's a deny, right?), which would lead to more syslog data from persistent ... log level for access-list logging is 6, but if you can see one you should ... You don't need to force the PIX to log these denials, ... access-list inbound permitted tcp outside/205.206.xxx.xxx-> ...
    (Firewall-Wizards)
  • Re: Conditional based on whether or not a module is being used
    ... the syslog module but also allows forloggingto STDOUT in debug mode ... be able to use the logging package which comes with Python: ... logger module, but too much of a newbie to use a module which is part ... Allow for multiple levels of logging beyond INFO, WARNING, CRIT ... ...
    (comp.lang.python)