Chat now with support
Chat with Support

InTrust 11.4.1 - Preparing for Auditing and Monitoring HP-UX

Tracking Security Incidents

You want to receive daily information about possible security issues in your environment, such as brute force attack attempts.

You can achieve this by scheduling gathering and reporting jobs with InTrust.

Take the following steps:

  1. Make sure that syslogd is running.
  2. Create an InTrust task that gathers Syslog events from the appropriate site (gathering job) and builds reports based on the gathered data (reporting job).The resulting reports are stored in the local folder that is specified during InTrust installation (for details, see the Specifying reporting settings section in Installing the First Server in InTrust Organization in the InTrust Deployment Guide).
  3. A good report for this scenario is “HP-UX Multiple failed login attempts”.
  4. It is up to you whether you want to store the gathered data in an InTrust repository. You can also include a notification job to get notified of task completion.
  5. Schedule the task to run every morning at a convenient time.

Data Collected from Audit Log

This topic describes the format that Audit log data is stored in. Native tools are used for converting Audit log to text, and the text entries are transformed into event records for the repository or audit database. Each event record has a fixed number of fields, which are described in the following table. These fields are always present, even if their values are empty.

Field

Details

EventID

Event ID

EventType

Success (0x0008) or failure (0x0010)

UserName

The user that generated the event

Description

The body of the event

Insertion String #1

Process ID (PID)

Insertion String #2

Parent process ID (PPID)

Insertion String #3

Audit ID (AID)

ID assigned to the initiator account by the audit system and found in all events that this account generates

Insertion String #4

Real UID (RUID)

UID of the user that initially logged into the system

Insertion String #5

Real GID (RGID)

GID of the user that initially logged into the system

Insertion String #6

Effective UID (EUID)

UID of the initiator account at the time of the event; the effective UID may have changed since the user initially logged in

Insertion String #7

Effective GID (EGID)

GID of the initiator account at the time of the event; the effective GID may have changed since the user initially logged in

Insertion String #8

Number of the TTY device where the event was generated

Insertion String #9

String description of the event

Insertion String #10

String description of the real GID (specified by Insertion String #5)

Insertion String #11

String description of the effective GID (specified by Insertion String #7)

Related Documents