Although it is the security administrator's
job to monitor the system for possible intrusions, you can help the
security administrator to audit access to your account and files.
This section describes how to monitor your last
login time for possible intrusions. It also describes how to work
with your security administrator to enable certain types of auditing.
Observing Your Last Login Time
The operating system maintains information in
your UAF record about the last time you logged in to your account.
Your security administrator decides whether the system should display
this information at login time. Sites with medium to high security
requirements frequently display this information and ask users to
check it for unusual or unexplained successful logins and unexplained
If there is a report of an interactive or a noninteractive
login at a time when you were not logged in, report it promptly to
your security administrator. Also change your password. The security
administrator can investigate further by using accounting files and
If you receive a login failure message and cannot
account for the failure, it is likely that someone has been trying
to access your account unsuccessfully. Check your password to ensure
that it adheres to all recommendations for password security described
in “Guidelines for Protecting Your Password”. If not, change your password immediately.
If you expect to see a login failure message and
it does not appear or if the count of failures is too low, change
your password. Report either of these indications of login failure
problems to your security administrator.
Adding Access Control Entries to Sensitive Files
If you have key files that may have been accessed
improperly, you may want to develop a strategy with your security
administrator to audit access to the files.
Once you review the situation and ensure that
you have done everything possible to protect your files with standard
protection codes and general ACLs (described in “Protecting Data”), you
may conclude that security auditing is required.
To specify security auditing, you can add special
access control entries (ACEs) to files you own or to which you have
control access. Keep in mind, however, that the audit log file is
a systemwide mechanism, so HP recommends that a site security administrator
control the use of file auditing. Although you can add auditing ACEs
to files over which you have control, the security administrator has
to enable auditing of files on a system level.
For example, if user RWOODS and his security administrator
agree that they must know when a highly confidential file, CONFIDREVIEW.MEM,
is being accessed, RWOODS can add an entry to the existing ACL for
the file CONFIDREVIEW.MEM, as follows:
$ SET SECURITY/ACL=(AUDIT=SECURITY,ACCESS=READ+WRITE-
After RWOODS adds the security-auditing entry,
the security administrator enables file-access auditing so that access
attempts are recorded. See “Auditing File Access” for more information on file-access
An access violation of one file frequently indicates
access problems with other files. Therefore, the security administrator
may need to monitor access to all key files having security-auditing
ACEs. When undesired access is gained to key files, the security administrator
must take immediate action.
Asking Your Security Administrator to Enable Auditing
A security administrator can direct the operating
system to send an audit message to the system security audit log file
or an alarm to terminals enabled as security operator terminals whenever
security-relevant events occur. For example, the security administrator
might identify one or more files for which write access is prohibited.
An audit message can be sent to indicate attempted access to these
If you suspect intrusion attempts to your account,
the security administrator may temporarily enable auditing for all
file access. The security administrator can also enable auditing to
monitor read access to your files to catch file browsers.
For example, assume you decide to audit the file
CONFIDREVIEW.MEM, which has a security-auditing ACE (see “Adding Access Control Entries to Sensitive Files”). If user
ABADGUY accesses CONFIDREVIEW.MEM and has delete access, the following
audit record is written to the system security audit log file:
%%%%%%%%%%% OPCOM 6-DEC-2008 07:21:11.10 %%%%%%%%%%%
Message from user AUDIT$SERVER on BOSTON
Security audit (SECURITY) on BOSTON, system id: 19424
Auditable event: Attempted file access
Event time: 6-DEC-2008 07:21:10.84
Image name: BOSTON$DUA0:[SYS0.SYSCOMMON.][SYSEXE]DELETE.EXE
Object name: _BOSTON$DUA1:[RWOODS]CONFIDREVIEW.MEM;1
Object type: file
Access requested: DELETE
Status: %SYSTEM-S-NORMAL, normal successful completion
Privileges used: SYSPRV
The auditing message reveals the name of the perpetrator,
the method of access (successful deletion accomplished by using the
program [SYSEXE]DELETE.EXE), time of access (7:21 a.m.), and the use
of a privilege (SYSPRV) to gain access to the file. With this information,
the security administrator can take action.
Note that the security audit message is written
to the security audit log file every time any file is accessed and
meets the conditions specified in the audit entry of the ACL for that
file (see “Adding Access Control Entries to Sensitive Files”). Access to the file CONFIDREVIEW.MEM, as well as access to any
file on the system that is protected with security auditing, prompts
an audit record to be written to the security audit log file.
After auditing has been introduced, check with
your security administrator periodically to see if any additional
intrusions have occurred.
Additional Events to Audit
In addition to file auditing, the security administrator
can select other types of events that warrant special attention when
they occur. Events triggering an audit or alarm may include the following:
|Events Initiating Security
Audits or Alarms|
logouts, login failures, and break-in attempts Volume mounts and dismounts
to: System and user passwords System time System authorization file
Network proxy file Rights database SYSGEN parameters
or termination of logical links
Execution of: SET AUDIT command NCP commands
and deletion of selected protected objects
Installation of images
types of access and deaccess to selected protected objects
Access event requested by an ACL on a protected object
unsuccessful use of a privilege or an identifier
Use of the process control system services, including
$CREPRC and $DELPRC