Chapter 6. Administering the System Audit Trail

The system audit trail is a feature that allows the system administrator or auditor to review a record of all system activity. The ongoing record shows general trends in system usage and also violations of your system use policy. For example, any unsuccessful attempts to use system resources can be recorded in the audit trail. If a user consistently attempts to access files owned by other users, or attempts to guess passwords, this can be recorded in the audit trail. The system administrator or auditor can monitor all system activity through the audit trail.

The satconfig utility is documented in the IRIX Admin: Backup, Security, and Accounting Guide , but is not present in Trusted IRIX/CMW. Use the sat_select utility to change the selected auditing events.

Topics described in this chapter include:

Audit Events in Trusted IRIX/CMW

A list of system audit trail events is described in the guide titled IRIX Admin: Backup, Security, and Accounting .

Auditing Unexpected Use of Privilege

Trusted IRIX/CMW has policies implemented that are not present in standard IRIX. Because of this, the unexpected use of privilege is of special concern to the auditor of a Trusted IRIX/CMW system. Every interpreted audit record contains a line beginning with the audit event type. The field following this keyword can be equal to one of “Success,” “Failure,” or “Success due to privilege.” The last case indicates that the user made a system call that would have failed except that superuser privilege was invoked to assure its successful completion. This is not necessarily a security violation or an unexpected use of system privilege. It is perfectly normal to see these outcomes.

When an ordinary user runs a program that contains code that uses system privilege, “Success due to privilege” outcomes are generated. A good example of this kind of program is passwd. An ordinary user generates a record of this type simply by changing the password on his or her account. Records of this type are also generated when users use capabilities to edit system files.

One type of record to look for is an instance where the “SAT ID” or “Effective ID” field is different from the “User ID” field. This occurs when a user executes /bin/su to gain privileges or otherwise promotes the privilege level of a session. In most cases, this is not a security violation, since the capability is necessary to successfully complete the /bin/su command.

An instance of using superuser privilege, though, is always worth examination in the audit trail. When you encounter an instance where a user has promoted his or her login session, you should check to see that the user is authorized to have the capability. If not, check whether the user indeed executed the /bin/su command, or if he or she promoted the privilege of the session by some other means, such as a Trojan Horse setuid shell command.

Whenever a user promotes the privilege of his or her login session, the auditor should also make a routine check of what actions the user took while the privilege was promoted.