Reg: Audit the destructive commands in HPUX and any easy way to view huge audit log files (668 Views)
Reply
Advisor
Mohammed.Muneer
Posts: 29
Registered: ‎12-27-2009
Message 1 of 4 (668 Views)

Reg: Audit the destructive commands in HPUX and any easy way to view huge audit log files

Hello Team,

 

Pls find the below config file. and suggest what are important syscall to monitor and also to enable destructive commands like rm , vi and etc...  Is there any easy way to check the audit logs without going through audisp or redirectinghuge file  to text file and reading it.

 

 

 

:root>grep -v ^# /etc/rc.config.d/auditing
AUDITING=1
PRI_AUDFILE=/auditing/.secure/etc/audtrail
PRI_SWITCH=10240
SEC_AUDFILE=*
SEC_SWITCH=0
AUDEVENT_ARGS1=" -P -F   -e create -e delete -e moddac -e modaccess -e open -e close -e process -e removable -e login -e admin -e ipcclose -e uevent1 -e exec -s exit -s fork -s open -s close -s creat -s link -s unlink -s execv -s chdir -s mknod -s chmod -s chown -s lchmod -s mount -s umount -s setuid -s stime -s ptrace -s kill -s setsid -s setpgrp -s setpgrp3 -s pipe -s setgid -s acct -s reboot -s symlink -s utssys -s execve -s umask -s chroot -s ulimit -s vfork -s mmap -s munmap -s setgroups -s setpgid -s setpgrp2 -s swapon -s setpriority -s settimeofday -s fchown -s fchmod -s setresuid -s setresgid -s rename -s truncate -s ftruncate -s mkdir -s rmdir -s setrlimit -s privgrp -s setprivgrp -s rtprio -s plock -s lockf -s semget -s semop -s msgget -s shmget -s shmat -s shmdt -s _set_mem_window -s nsp_init -s setdomainname -s vfsmount -s setacl -s fsetacl -s setaudid -s setaudproc -s setevent -s audswitch -s audctl -s fchdir -s shutdown -s semctl -s msgctl -s shmctl -s mpctl -s exportfs -s putpmsg -s adjtime -s fdetach -s serialize -s lchown -s sched_setparam -s sched_setscheduler -s clock_settime -s toolbox -s ftruncate64 -s lockf64 -s mmap64 -s setrlimit64 -s truncate64 -s setcontext -s setregid -s mlock -s munlock -s mlockall -s munlockall -s shm_open -s shm_unlink -s sigqueue -s mq_open -s mq_close -s mq_unlink -s ksem_open -s ksem_unlink -s ksem_close -s ttrace -s ptrace64 -s sendfile -s sendfile64 -s modload -s moduload -s modpath -s getksym -s modadm -s modstat -s spuctl -s acl -s __cnx_p2p_ctl -s __cnx_gsched_ctl -s mem_res_grp -s settune -s pset_create -s pset_destroy -s pset_assign -s pset_bind -s pset_setattr -s t64migration -s semtimedop -s audtag -s procxsec -s filexsec -s secrules -s umount2"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDEVENT_ARGS4=" -p -f   -s accept -s access -s bind -s connect -s fattach -s fstat -s fstat64 -s getaccess -s lstat -s lstat64 -s socket -s socket2 -s socketpair -s socketpair2 -s stat -s stat64"
AUDOMON_ARGS="-p 20 -t 1 -w 90"

 

I also cannot see commands in audit logs !!!

 

################## Log Details #########################

120905 09:22:04 23799 S          71       13162     73          0          3          0          3 pts/1 [ Effective privileges: "BASIC" ] [ Permitted privileges: "BASIC" ] [ Retained privileges: "BASIC" ] [ Event=mmap; User=uxxxxx; Real Grp=sys; Eff.Grp=sys;  ]

     RETURN_VALUE 1 = 1878843392;      PARAM #2 (int) = 8192      PARAM #4 (int) = 18      PARAM #5 (file desc) = 0x00000000 (idev);                             0 (inum) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 120905 09:22:04 23799 S           6       13162     73          0          3          0          3 pts/1 [ Effective privileges: "BASIC" ] [ Permitted privileges: "BASIC" ] [ Retained privileges: "BASIC" ] [ Event=close; User=uxxxxx; Real Grp=sys; Eff.Grp=sys;  ]

     RETURN_VALUE 1 = 0;      PARAM #1 (int) = 3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 120905 09:22:04 23799 S          71       13162     73          0          3          0          3 pts/1 [ Effective privileges: "BASIC" ] [ Permitted privileges: "BASIC" ] [ Retained privileges: "BASIC" ] [ Event=mmap; User=uxxxxx; Real Grp=sys; Eff.Grp=sys;  ]

     RETURN_VALUE 1 = 1878736896;      PARAM #2 (int) = 16384      PARAM #4 (int) = 18      PARAM #5 (file desc) = 0x00000000 (idev);                             0 (inum) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 120905 09:22:04 23799 S          71       13162     73          0          3          0          3 pts/1 [ Effective privileges: "BASIC" ] [ Permitted privileges: "BASIC" ] [ Retained privileges: "BASIC" ] [ Event=mmap; User=ux1xxxxx; Real Grp=sys; Eff.Grp=sys;  ]

     RETURN_VALUE 1 = 1878839296;      PARAM #2 (int) = 160      PARAM #4 (int) = 18      PARAM #5 (file desc) = 0x00000000 (idev);                             0 (inum) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 120905 09:22:04 23799 F           5       13162     73          0          3          0          3 pts/1 [ Effective privileges: "BASIC" ] [ Permitted privileges: "BASIC" ] [ Retained privileges: "BASIC" ] [ Event=open; User=uxxxxxx; Real Grp=sys; Eff.Grp=sys;  ]

     ERRNO = 2; RETURN_VALUE 1 = -1;      PARAM #1 (file path) = 0 (cnode);                             0x00000000 (dev);                             0 (inode);               (path) = /usr/lib/nls/msg//audisp.cat      PARAM #2 (int) = 0      PARAM #3 (int) = 39608 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 120905 09:22:04 23799 F           5       13162     73          0          3          0          3 pts/1 [ Effective privileges: "BASIC" ] [ Permitted privileges: "BASIC" ] [ Retained privileges: "BASIC" ] [ Event=open; User=uxxxxxx; Real Grp=sys; Eff.Grp=sys;  ]

     ERRNO = 2; RETURN_VALUE 1 = -1;      PARAM #1 (file path) = 0 (cnode);                             0x00000000 (dev);                             0 (inode);               (path) = /usr/lib/nls////audisp.cat      PARAM #2 (int) = 0      PARAM #3 (int) = 39608 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

##################################################################################

 

 

 

Regards

 

Advisor
Mohammed.Muneer
Posts: 29
Registered: ‎12-27-2009
Message 2 of 4 (627 Views)

Re: Reg: Audit the destructive commands in HPUX and any easy way to view huge audit log files

Hello Team,

 

Any update or any expert view ....

 

 

 

Regards,

Advisor
Mohammed.Muneer
Posts: 29
Registered: ‎12-27-2009
Message 3 of 4 (603 Views)

Re: Reg: Audit the destructive commands in HPUX and any easy way to view huge audit log files

Any update .....

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 4 of 4 (596 Views)

Re: Reg: Audit the destructive commands in HPUX and any easy way to view huge audit log files

That's a very extensive auditing configuration. If you plan to run this all the time for all your users, you will probably need some automated way to post-process the audit logs to get anything meaningful out of the logs efficiently.

 

Personally, I'd say that running such an audit configuration in a modern multi-user production system is very likely hopeless without some serious post-processing of the logs: with that configuration, even the regular operation of your applications is going to generate a lot of audit logs.

 

For example, HP has a free application "HP HIDS" that can do some of the work for you: it includes some pre-designed monitoring templates for making sense of the HP-UX audit logs, but you must still tailor it for your use.

 

https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUX-HIDS

 

For HP-UX 11.31, there are also some other audit filtering & reporting tools that may be helpful:

https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=AuditExt

 

If you want to look for the execution of commands, you should remember that shells usually implement some commands internally and find the rest as executable files using the PATH environment variable.

 

For the non-internal commands, the exec() family of syscalls is the important one. The parameters of the exec() system call should include the command being executed and its arguments.

 

But for internal commands, exec() will not be used: instead, the shell will make the appropriate system call directly. For example, the kill command is usually implemented as an internal command in shells. So the shell will not execute /usr/bin/kill, but instead will execute the kill() system call directly. To catch that in audit logs, you must monitor the kill syscall.

 

MK
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.