To audit user creation and modification (via sam, chfn, chsh, usermod, useradd, userdel), the following should work very well. This was tested on HP-UX 11.31.
This does NOT require the new Auditing System Extensions bundle available for HP-UX 11.31. This relies on the ‘self-auditing’ functions, at the admin level, of some of the HP-UX commands.
The self-auditing explanation is below (from ‘man 5 audit’):
Self-auditing Programs
To reduce the amount of log data and to provide a higher-level recording of some typical system operations, a collection of privileged programs are given capabilities to perform self-auditing. This means that the programs can suspend the currently specified auditing on themselves and produce a high-level description of the operations they perform. These self-auditing programs are described in the following manpages: at(1), chfn(1), chsh(1), crontab(1), login(1), newgrp(1), passwd(1), audevent(1M), audisp(1M), audsys(1M), audusr(1M), cron(1M), groupadd(1M), groupdel(1M), groupmod(1M), init(1M), lpsched(1M), sam(1M), useradd(1M), userdel(1M), and usermod(1M).
There does not appear to be a comprehensive list of commands that self-audit at the ADMIN level. I have found through testing that the following appear to be the commands that do self-audit at this level: chfn, chsh, login, passwd, audevent, audisp, audsys, audusr, groupadd, groupdel, groupmod, useradd, userdel and usermod.
Since we will be auditing a limited number of commands, the audit files should not grow very fast unless you have an enormous amount of activity with regards to user modification, password changes, and group modifications.
To enable auditing of these functions, do the following:
1. Create a new rule in /etc/audit/audit.conf. This is a regular text file and can be edited with ‘vi’. Create a new line like the one below:
EVENT admin2= SELFAUD_EVENT admin
This category will just record audit events from programs that are self-auditing at the admin level.
2. Edit the /etc/rc.config.d/auditing file so it looks like the following:
AUDITING=1
PRI_AUDFILE=/var/.audit/audfile1
PRI_SWITCH=1000
SEC_AUDFILE=/var/.audit/audfile2
SEC_SWITCH=1000
AUDEVENT_ARGS1=”-P -F -e admin2″
AUDEVENT_ARGS2=””
AUDEVENT_ARGS3=””
AUDEVENT_ARGS4=””
AUDOMON_ARGS=” -p 20 -t 1 -w 90″
The location of the audit files can be changed to whatever is required. With the limited set of actions being audited I would not expect the audit files to grow very fast.
An explanation of the arguments used for the AUDEVENT_ARGS and AUDOMON_ARGS are at the end of this document.
3. Start auditing by doing:
/sbin/init.d/auditing start
4. Once auditing is running you can display the audit data with the ‘audisp’ command.
To create a viewable file of the audited info:
audisp /var/.audit/audfile1 > auditfile.txt
or
audisp /var/.audit/audfile2 > auditfile.txt
Examples of the audit records generated for some of the commands follow the AUDEVENT and AUDOMON argument explanations.
AUDEVENT_ARGS explanations (from ‘man 1m audevent’):
-P
Audit successful events
-F
Audit failed events
-e admin2
Audit only based on the admin2 rule above
AUDOMON_ARGS explanationss (from ‘man 1m audomon’):
-p 20
-p fss
Specify the FileSpaceSwitch by a number ranging from 0 to 100. When the file system that contains the current audit trail has less than fss percent free space remaining, audomon looks for a backup audit trail. If available, the backup trail is designated as the new audit trail. If no backup trail is available, the auditing system creates a new audit trail with the same base name but a different timestamp extension and begins recording to it.
-t 1
-t sp_freq
Specify the wake-up switch-point frequency in minutes. The wake-up frequency is calculated based on sp_freq and the current capacity of the audit trail and the file system.
The calculated wake-up frequency at any time before the switch points is larger than sp_freq. As the size of the audit trail or the file system’s free space approaches the switch points, the wake-up frequency approaches sp_freq. sp_freq can be any positive real number.
The default sp_freq is 1 (minute).
-w 90
-w warning
Specify that warning messages be sent before the switch points. warning is an integer ranging from 0 through 100.
The higher the warning, the closer to the switch points warning messages are issued. For example, warning set to 50 causes warning messages to be sent half-way before the switch points are reached. warning set to 100 causes warning messages to be sent only after the designated switch points are reached and a switch is not possible due to a missing backup trail.
By default, warning is 90.
Note: The warning message is not sent if the audit trail size grows beyond the switch points in between two consecutive audomon wakeup intervals. In this case, audomon only performs the switch to next audit trail.
EXAMPLE AUDIT TRAIL INFORMATION
——————————————————————–
Event: admin
Time: Mon May 23 14:27:38 11 EDT
PID: 4706
PPID: 4288
User/Grp: 0/3(root/sys)
Groups: 3(sys), 0(root), 1(other), 2(bin), 4(adm), 5(daemon), 6(mail), 7(lp), 20(users)
Effective privileges: “BASIC”
Permitted privileges: “BASIC”
Retained privileges: “BASIC”
Audit tag: 0: 0:root:201105231811
Audit session ID: 1
Command: passwd
Source: 0.0.0.0
TTY: pts/0
Error: 1
SELF-AUDITING TEXT:
User= pww123 uid=111 audid=35 Password or password attributes changed successfully
——————————————————————–
Event: admin
Time: Mon May 23 14:27:38 11 EDT
PID: 4706
PPID: 4288
User/Grp: 0/3(root/sys)
Groups: 3(sys), 0(root), 1(other), 2(bin), 4(adm), 5(daemon), 6(mail), 7(lp), 20(users)
Effective privileges: “BASIC”
Permitted privileges: “BASIC”
Retained privileges: “BASIC”
Audit tag: 0: 0:root:201105231811
Audit session ID: 1
Command: passwd
Source: 0.0.0.0
TTY: pts/0
SELF-AUDITING TEXT:
User= pww123 passwd successfully changed
——————————————————————–
Event: admin
Time: Wed May 11 17:10:27 11 EDT
PID: 14698
PPID: 9964
User/Grp: 0/3(root/sys)
Groups: 3(sys), 0(root), 1(other), 2(bin), 4(adm), 5(daemon), 6(mail), 7(lp), 20(users)
Effective privileges: “BASIC”
Permitted privileges: “BASIC”
Retained privileges: “BASIC”
Audit tag: 0: 0:root:201105111827
Audit session ID: 1
Command: userdel
Source: 0.0.0.0
TTY: pts/0
SELF-AUDITING TEXT:
A user with username=pww2 is deleted successfully
——————————————————————–
Event: admin
Time: Wed May 11 17:10:31 11 EDT
PID: 14701
PPID: 9964
User/Grp: 0/3(root/sys)
Groups: 3(sys), 0(root), 1(other), 2(bin), 4(adm), 5(daemon), 6(mail), 7(lp), 20(users)
Effective privileges: “BASIC”
Permitted privileges: “BASIC”
Retained privileges: “BASIC”
Audit tag: 0: 0:root:201105111827
Audit session ID: 1
Command: useradd
Source: 0.0.0.0
TTY: pts/0
SELF-AUDITING TEXT:
A new user added successfully, username=pww111
uid=111 gid=20 shell=/sbin/sh home_dir=/home/pww111
comment=
audid=35 inactive=-1 expire=””
——————————————————————–
Event: admin
Time: Thu May 12 12:38:38 11 EDT
PID: 12481
PPID: 12163
User/Grp: 0/3(root/sys)
Groups: 3(sys), 0(root), 1(other), 2(bin), 4(adm), 5(daemon), 6(mail), 7(lp), 20(users)
Effective privileges: “BASIC”
Permitted privileges: “BASIC”
Retained privileges: “BASIC”
Audit tag: 0: 0:root:201105121630
Audit session ID: 1
Command: chfn
Source: 0.0.0.0
TTY: pts/2
Error: 1
SELF-AUDITING TEXT:
User= pww11 Attempt to change gecos information failed
——————————————————————–
Event: admin
Time: Thu May 12 12:38:59 11 EDT
PID: 12482
PPID: 12163
User/Grp: 0/3(root/sys)
Groups: 3(sys), 0(root), 1(other), 2(bin), 4(adm), 5(daemon), 6(mail), 7(lp), 20(users)
Effective privileges: “BASIC”
Permitted privileges: “BASIC”
Retained privileges: “BASIC”
Audit tag: 0: 0:root:201105121630
Audit session ID: 1
Command: chfn
Source: 0.0.0.0
TTY: pts/2
SELF-AUDITING TEXT:
User= pww111 gecos information successfully changed
——————————————————————–
Event: admin
Time: Thu May 12 12:46:12 11 EDT
PID: 12697
PPID: 12623
User/Grp: 0/3(root/sys)
Groups: 3(sys), 0(root), 1(other), 2(bin), 4(adm), 5(daemon), 6(mail), 7(lp), 20(users)
Effective privileges: “BASIC”
Permitted privileges: “BASIC”
Retained privileges: “BASIC”
Audit tag: 0: 0:root:201105121644
Audit session ID: 1
Command: groupadd
Source: 0.0.0.0
TTY: pts/0
SELF-AUDITING TEXT:
A new group added successfully
groupname=pwwgroup2 gid=106
group_members=
——————————————————————–
Event: admin
Time: Thu May 12 12:46:18 11 EDT
PID: 12706
PPID: 12623
User/Grp: 0/3(root/sys)
Groups: 3(sys), 0(root), 1(other), 2(bin), 4(adm), 5(daemon), 6(mail), 7(lp), 20(users)
Effective privileges: “BASIC”
Permitted privileges: “BASIC”
Retained privileges: “BASIC”
Audit tag: 0: 0:root:201105121644
Audit session ID: 1
Command: groupdel
Source: 0.0.0.0
TTY: pts/0
SELF-AUDITING TEXT:
A group with groupname=pwwgroup1 is deleted
successfully
——————————————————————–
Event: admin
Time: Thu May 12 12:46:56 11 EDT
PID: 12712
PPID: 12623
User/Grp: 0/3(root/sys)
Groups: 3(sys), 0(root), 1(other), 2(bin), 4(adm), 5(daemon), 6(mail), 7(lp), 20(users)
Effective privileges: “BASIC”
Permitted privileges: “BASIC”
Retained privileges: “BASIC”
Audit tag: 0: 0:root:201105121644
Audit session ID: 1
Command: groupmod
Source: 0.0.0.0
TTY: pts/0
SELF-AUDITING TEXT:
The group record of groupname=pwwgroup2 is modified
successfully
New_groupname=pww2
——————————————————————–
Event: admin
Time: Thu May 12 12:48:28 11 EDT
PID: 12765
PPID: 12623
User/Grp: 0/3(root/sys)
Groups: 3(sys), 0(root), 1(other), 2(bin), 4(adm), 5(daemon), 6(mail), 7(lp), 20(users)
Effective privileges: “BASIC”
Permitted privileges: “BASIC”
Retained privileges: “BASIC”
Audit tag: 0: 0:root:201105121644
Audit session ID: 1
Command: usermod
Source: 0.0.0.0
TTY: pts/0
Error: 1
SELF-AUDITING TEXT:
Attempt to modify a user record failed
——————————————————————–
Event: admin
Time: Thu May 12 12:48:35 11 EDT
PID: 12766
PPID: 12623
User/Grp: 0/3(root/sys)
Groups: 3(sys), 0(root), 1(other), 2(bin), 4(adm), 5(daemon), 6(mail), 7(lp), 20(users)
Effective privileges: “BASIC”
Permitted privileges: “BASIC”
Retained privileges: “BASIC”
Audit tag: 0: 0:root:201105121644
Audit session ID: 1
Command: usermod
Source: 0.0.0.0
TTY: pts/0
SELF-AUDITING TEXT:
The user record of user=pww111 is modified successfully
New_username=pww123
——————————————————————–
Event: admin
Time: Thu May 12 12:49:30 11 EDT
PID: 12898
PPID: 12897
User/Grp: 0/3(root/sys)
Groups: 3(sys), 0(root), 1(other), 2(bin), 4(adm), 5(daemon), 6(mail), 7(lp), 20(users)
Effective privileges: “BASIC”
Permitted privileges: “BASIC”
Retained privileges: “BASIC”
Audit tag: 0: 0:root:201105121644
Audit session ID: 1
Command: usermod
Source: 0.0.0.0
TTY: pts/0
SELF-AUDITING TEXT:
The user record of user=pww123 is modified successfully
home_dir=/home/pww123
– See more at: http://serviceitdirect.com/blog/auditing-hp-ux-user-creation-deletion-and-modification#sthash.E73kZQUK.dpuf
Tags: HP-UX