 |
» |
|
|
|
|  | |
The purpose of the auditing system is to record instances
of access by subjects to objects and to allow detection of any (repeated)
attempts to bypass the protection mechanism and any misuses of privileges,
thus acting as a deterrent against system abuses and exposing potential
security weaknesses in the system. Summary
of Change | |
What’s
New for Customers Migrating from HP-UX 11i v1 September 2005?The auditing
system has been enhanced in a number of ways: Auditing subsystem is now
working without converting the system to trusted mode. Standard mode audit user
selection information is stored in a per-user configuration user
database, which is similar to /tcb in Trusted Mode. Refer to the userdb(4) manpage. The userdbset command specifies which users are to be audited in standard
mode. This functionality is equivalent to the audusr command in
trusted mode. Refer to the userdbset(1M) manpage. A more flexible form of audit
identity called audit tags is introduced, uniquely identifies each
login session and responsible user. Two new libsec routines,
getauduser() and setauduser(), are similar to the getaudid() and setaudid() system calls. The new libsec routines manage the audit tags.
Refer to the getauduser(3), setauduser(3), and audit(5) manpages. For applications that use
PAM for authentication and session management, the pam_hpsec PAM
module transparently handles the setting of the audit tag information.
Refer to the pam_hpsec(5) manpage. A multi-threaded kernel audit
daemon is now dedicated in logging the data into configurable number
of files for better performance. See -N option
in audsys(1M) manpage. Collected audit data are
more comprehensive. Data source for both C2 level
auditing and HIDS/9000 product is now unified, but are being configured
differently. Audisp output is modified to be more self-descriptive and more
friendly to text process tool. Audit overflow monitor daemon
is now capable of auto-switching audit trails and run an external
command to run at each auto-switch point. See audomon(1M) manpage. Audit events or profiles
can be customized. See audit.conf(4) manpage. Audit system now tries to
track the current working and root directory for each process, and
report the full path name of a given file. See audit_track_paths(5) manpage. Memory consumption for audit
data is now configurable. See audit_memory_usage(5) and diskaudit_flush_interval(5) manpage.
What’s
New for Customers Migrating from HP-UX 11i v2 June 2006? The auditing system has been enhanced in a number of ways: Standard Mode
Auditing is now part of core products. A multi-threaded kernel audit
daemon is now dedicated in logging the data into configurable number
of files for better performance. See -N option
in audsys(1M) manpage. Collected audit data are
more comprehensive. Audisp output is modified to be more self-descriptive and more
friendly to text process tools. Audit overflow monitor daemon
is now capable of auto-switching audit trails and taking an external
command to run at each auto-switch point. See audomon(1M) manpage. Audit events or profiles
can be customized. See audit.conf(4) manpage. Audit system now tries to
track the current working and root directory for each process, and
report the full path name of a given file. See audit_track_paths(5) manpage. Memory consumption for audit
data is now configurable. See audit_memory_usage(5) and diskaudit_flush_interval(5) manpage.
Impact | |
You may run
auditing without converting system to trusted mode. You will see the difference
in audisp output. The displayed data is made more comprehensive
and self-descriptive, and more friendly to test processing tool.
You need to modify your applications or scripts that process audisp output data. Each audit trail is now identified
as a directory instead of a file (if running in regular mode, see
-N option in audsys(1M) manpage). You need to modify
your applications or scripts that handle audit trails as files,
or force audit system to use compatibility mode using -N option. Audit overflow management
now requires less manual interference. See -X option
in audomon(1M) manpage.
You may write up script to run at each auto-switch point to archive/backup
audit trails. You will experience less
performance impact when turning on auditing.
Compatibility | |
The audit commands
audsys, audisp, audevent and audomon still work the same way with a few new options added. The userdbset(1M) command
is used to configure audit user in standard mode, instead of
audusr(1M) which
still works in trusted mode. Applications or scripts that
handle each audit trail as a single file need to change to handle
it as a directory. If this is not desired, turn on audit with -N 0 (see audsys(1M) manpage),
known as compatibility mode. However, compatibility mode will be obsoleted
in any future releases after HP-UX 11i v3. Applications or scripts that
process audisp output data need to change to handle the new format.
Performance | |
A multi-threaded
kernel audit daemon is now dedicated in logging the data into configurable
number of files. See -N option in audsys(1M) manpage.
This results in better performance. Audit system now tracks the
current working and root directory for each process. This results
in a little degrade in performance. See audit_track_paths(5) manpage. Performance is also impacted
by the maximum specified memory consumption for storing audit data
and how often kernel audit daemon flushes audit data onto disk. See
audit_memory_usage(5) and diskaudit_flush_interval(5) manpage.
Documentation | |
For further information, refer to the following manpages: audit(5), audsys(1M), audevent(1M), audisp(1M), audomon(1M), audusr(1M), audit.conf(4), getauduser(3), setauduser(3), pam_hpsec(5). Obsolescence | |
HP-UX 11i v3 will be the last release to support trusted systems
functionality including those for auditing (e.g., audusr command). Compatibility mode (i.e., -N 0) and -x option
for audsys are solely supported for backward compatibility and will
be obsoleted in any future releases after HP-UX 11i v3. The following auditable system call names are being deprecated
in HP-UX 11i v3: putpmsg(), setcontext(), nsp_init(), exportfs(), t64migration(), privgrp(). In HP-UX 11i v3, audevent and audisp still take them as valid arguments but perform no action
on these names. After HP-UX 11i v3, audevent and audisp will reject these names with errors. The following auditable system calls were not being documented,
and they are being renamed in HP-UX 11i v3: utssys(), _set_mem_window(), toolbox(), modadm(), spuctl(), __cnx_p2p_ctl(), __cnx_gsched_ctl(), mem_res_grp(), lchmod(), socket2(), socketpair2(), ptrace64(), ksem_open(), ksem_close(), ksem_unlink(). In HP-UX 11i v3, audevent and audisp still take them as valid arguments and map them to their
new names. After HP-UX 11i v3, audevent and audisp will reject these names with errors. [gs]etaudid() is provided purely for backward compatibility. HP recommends
that new applications use [gs]etauduser() instead. See setauduser(3) manpage. [gs]etevent is provided purely for backward compatibility. HP recommends
that new applications use audevent command to get events and system calls that are currently being
audited. See audevent(1M) manpage. audctl() is provided purely for backward compatibility. HP recommends
that new applications use audsys command to configure the auditing system. See audsys(1M) manpage. |
Printable version
