a u d e n a b l e |
|
THANKYOUTHANKYOUTHANKYOUTHANKYOU!!!! |
Trusted HP-UX comes with a complete auditing subsystem that can be used to trace to the system call level what your users or applications are doing. It can be used following an intrusion for legal purposes or with special scripts to trigger alerts on specific activities.
Unfortunately, the auditing subsystem is started for interactive users upon invocation of the login() system call. This works great when you telnet or FTP in your server, but not when you use SSH.
HP-UX Secure Shell (i.e. OpenSSH) does not use the login() call and this makes the auditing susbystem useless. Enabling useLogin brings some other problems which I don't remember; I think one of them is X11 forwarding that no longer works. HP does not seem to be willing to fix this because they now favor HP-IDS over the auditing subsystem. However, IDS is not ready for prime time in my opinion and is not scriptable, while the auditing subsystem is.
Audenable is a setuid C program that switches on the AUD_PROC flag and
forks a new shell. By putting it in /etc/profile, this basically enables auditing
for every interactive user.
audenable has been developped and tested on HP-UX 11i (11.11) only.
audenable is released under the GPL.
1. Grab the source here: audenable.c
2. Use GCC to compile it:
# gcc -O3 -o audenable.c |
3. Copy audenable to /usr/local/bin and put a setuid bit on it:
# cp audenable /usr/local/bin # chown root:sys /usr/local/bin/audenable # chmod 4755 /usr/local/bin/audenable |
4. Put this chunk of code in the beginning of /etc/profile:
# Once audenable is executed, the environment variable # AUDENABLE=1 is set. This prevents re-executing audenable # in a loop when /etc/profile is sourced in the new shell set +u if [ -x /usr/local/bin/audenable -a ! "$AUDENABLE" = "1" ] then /usr/local/bin/audenable fi |
