You can try this in your test server to get an idea how this works and how you can then review the logs.
There is several options. I suggest you check this on a test server 1st.
Yes you don’t have to convert the system to ‘trusted’ mode.
Here I give you an example how you can enable auditing and audit ‘root’ user.
Setup the auditing logfiles.# audsys -n -N 2 -c /var/.audit/auditing -s 1000 created audit trail directory: /var/.audit/auditing auditing system started Verify the above command:# audsys auditing system is currently on current trail: /var/.audit/auditing next trail: none statistics- afs Kb used Kb avail % fs Kb used Kb avail % current trail: 1000 90 91 8912896 7740272 13 next trail: none Auditing system is actively writing to 2 file(s).Next select a user for which end-user desires to track and create an audit trail of failed logins. For example, please select the root user.secweb a terminal-based gui method can be run or use the command-line to achieve this.# secwebUsing secweb here's the 1st screen shot:Auditing and Security Attributes Configuration -------------------------------------------------------------------------------- s - System Defaults - Configure system-wide values of security attributes l - Local Users - Configure per-user values of security attributes of local users e - Audit Events - Set audit state for events c - Audit System Calls - Set audit state for system calls d - View Audit Parmeters - View current audit monitor and log parameters v - View Audit Log - Filter and view contents of audit log Select l to go to the next screen which would display among other users, the root user as well:Auditing and Security Attributes Configuration-> Local Users -------------------------------------------------------------------------------- Displaying Local Users Name User Id User Values ====================================================================================================================================================== ... root 0 no <-- notice the value of "no" ... -------------------------------------------------------------------------------- x-Exit smh ESC-Back 1-Help /-Search ENTER-View Security Attributes m-Audit multiple users 2-userdb(4) Manpage Hit m to Audit multiple users .Scroll the cursor to the root user and select it by hitting the space bar, and hit a Audit selected users .The next screen will also show the command-line equivalent of achieving the above.Click ok and determine confirm success of the operation with this message:Command Successful press Enter Key to continue The next screen should now show up root as being setup to be audited:Auditing and Security Attributes Configuration-> Local Users ->Audit multiple users -------------------------------------------------------------------------------- Displaying Local Users Name User Id User Values ====================================================================================================================================================== > root 0 yes <-- notice the value of "yes" The command line equivalent for the above.#/usr/sbin/userdbset -u root AUDIT_FLAG=1 To confirm that the root user has been setup for auditing:# userdbget -u root root AUDIT_FLAG=1
Now use secweb again to select the Audit Events (e) first to select the events and then go to Audit System calls (c) and select appropriate system calls you
would like to audit.#secwebAuditing and Security Attributes Configuration -------------------------------------------------------------------------------- s - System Defaults - Configure system-wide values of security attributes l - Local Users - Configure per-user values of security attributes of local users e - Audit Events - Set audit state for events c - Audit System Calls - Set audit state for system calls d - View Audit Parmeters - View current audit monitor and log parameters v - View Audit Log - Filter and view contents of audit log Select e to go to the next screen which would display events that could be auditedUse m to audit multiple events and scroll and select all the events using spacebar
x-Exit smh s-Audit Success Only b-Audit Both Success and Failure ESC-Back /-SearchSPACE-Toggle Selection f-Audit Failure Only n-Audit Neither Success nor Failure 1-Help
Then you can choose any of the options that are given above to enable to disable event/syscall.
EXAMPLE:
In my case I enabled the event ‘delete’ and the audit syscall ‘rmdir’ to check if root deletes any directory.Then I created a directory called test and removed it using rmdir.
To view the logfiles created by the auditing subsystem:#audisp -u root
E.g: #audisp -u root -c rmdir /var/.audit/auditing > /tmp/rmdir.out# more /tmp/rmdir.outEvent: rmdirTime: Fri Dec 10 15:29:48 10 ISTPID: 292PPID: 26742User/Grp: 0/3(root/sys)Groups: 3(sys), 0(root), 1(other), 2(bin), 4(adm), 5(daemon), 6(mail), 7(lp), 20(users)Effective privileges: "BASIC"Permitted privileges: "BASIC"Retained privileges: "BASIC"Audit tag: 0: -1:root:201012100857TTY: pts/1Return1: 0Arg 1 (file info): given path = "/test" inode = 594 device = 64, 0x3 mode = 040755 owner uid/gid = 0/3 type = directory
Similarly you can audit many events/syscall which you can view via secweb.This gives all the details you are looing for.
More details refer the man page of ‘audsys’ ‘audisp’ etcAlso check the admin guide.<http://h20000.www2.hp.com/bc/docs/support/SupportManual/c01944073/c01944073.pdf>
No comments:
Post a Comment