Operating System - HP-UX
1745833 Members
4225 Online
108723 Solutions
New Discussion

Re: Audit trail doesn't rotate

 
SOLVED
Go to solution
Viktor Balogh
Honored Contributor

Audit trail doesn't rotate

Hi All,

 

I have a question regarding audit trail location. Our system is an HP-UX 11.31, the March 2011 QPK is installed. The audit subsystem  is set to change the trail file every 10MBs, yet it doesn't seem to change and I end up with a minus percentage in the o/p of audsys:

 

cldbpr1:/var/adm# audsys

auditing system is currently on

current trail: /var/.audit/audtrail.20110829_1914

next    trail: none

statistics-     afs Kb  used Kb  avail %    fs Kb  used Kb  avail %

current trail:    10240    12062      -17 39321600 31537632       20

next    trail: none

 

auditing system is actively writing to 1 file(s)

cldbpr1:/var/adm#

The audit subsystem was restarted recently after the trail file was too large. Is this a known bug or something?

Thank you for any idea helping to solve this problem.

 

Regards,

Viktor

****
Unix operates with beer.
7 REPLIES 7
Viktor Balogh
Honored Contributor

Re: Audit trail doesn't rotate

this is from /etc/rc.config.d/auditing, I have only a single audfile specified, and 10MB as switch parameter.

 

# grep -v ^# /etc/rc.config.d/auditing

AUDITING=1
PRI_AUDFILE=/var/.audit/audtrail
PRI_SWITCH=10240
SEC_AUDFILE=/var/.audit/audtrail
SEC_SWITCH=10240
AUDEVENT_ARGS1=" -P -F   -e moddac -e login -e admin -s chmod -s chown -s .chmod_link -s stime -s acct -s reboot -s .set_sys_info -s umask -s swapon -s settimeofday -s fchown -s fchmod -s setrlimit -s .priv_grp_ctl -s plock -s semop -s .setmemwindow -s setdomainname -s setacl -s fsetacl -s setaudid -s setaudproc -s setevent -s audswitch -s audctl -s mpctl -s adjtime -s serialize -s lchown -s sched_setparam -s sched_setscheduler -s clock_settime -s .perf_tool_ctl -s setrlimit64 -s modload -s moduload -s modpath -s getksym -s .kernel_module_ctl -s modstat -s .processor_ctl -s acl -s .p2p_bcopy_ctl -s .gang_sched_ctl -s .mrgctl -s settune -s pset_assign -s pset_bind -s pset_setattr -s pset_ctl -s __pset_rtctl -s .perf_ctl -s semtimedop -s .audit_tag_ctl -s .postwait_ctl -s .setaudevent -s .procsm_setop -s .cachefsstat -s swapctl -s .audit_ctl -s .proc_mgmt_ctl -s .cell_olstar_lock -s .cell_olstar_specify -s .cell_olstar_backout -s .cell_olstar_unlock -s .cell_olstar_operate"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDEVENT_ARGS4=" -p -f   -s .cmpt_rules -s .file_sec_ctl -s .proc_sec_ctl -s .sendfile_by_name -s accept -s access -s bind -s chdir -s chroot -s close -s connect -s creat -s execv -s execve -s exit -s fattach -s fchdir -s fcntl -s fdetach -s fork -s fstat -s fstat64 -s ftruncate -s ftruncate64 -s getaccess -s kill -s link -s lockf -s lockf64 -s lstat -s lstat64 -s mkdir -s mknod -s mlock -s mlockall -s mmap -s mmap64 -s mount -s mq_close -s mq_open -s mq_unlink -s msgctl -s msgget -s munlock -s munlockall -s munmap -s open -s pipe -s pset_create -s pset_destroy -s ptrace -s recv -s recvfrom -s recvmsg -s rename -s rmdir -s rtprio -s sem_close -s sem_open -s sem_unlink -s semctl -s semget -s send -s sendfile -s sendfile64 -s sendmsg -s sendto -s setgid -s setgroups -s setpgid -s setpgrp -s setpgrp3 -s setpriority -s setregid -s setresgid -s setresuid -s setsockopt -s setuid -s shm_open -s shm_unlink -s shmat -s shmctl -s shmdt -s shmget -s shutdown -s sigqueue -s socket -s socketpair -s stat -s stat64 -s symlink -s truncate -s truncate64 -s ttrace -s ulimit -s umount -s umount2 -s unlink -s vfork -s vfsmount"
AUDOMON_ARGS=" -p 20 -t 1 -w 90"
#

 

****
Unix operates with beer.
James R. Ferguson
Acclaimed Contributor
Solution

Re: Audit trail doesn't rotate


@Viktor Balogh wrote:

this is from /etc/rc.config.d/auditing, I have only a single audfile specified, and 10MB as switch parameter.

 

# grep -v ^# /etc/rc.config.d/auditing

AUDITING=1
PRI_AUDFILE=/var/.audit/audtrail
PRI_SWITCH=10240
SEC_AUDFILE=/var/.audit/audtrail
SEC_SWITCH=10240
...


Viktor:

 

I suspect that the fact that the name of the primary and secondary audit files being the *same* is the problem.  You may be doing a no-op switch.

 

Matti had an excellent post recently regarding audit file switches here:

 

http://h30499.www3.hp.com/t5/Security/Auditing-Why-does-the-auditing-log-files-continues-to-grow/m-p/5311801#M18809

 

Regards!

 

...JRF...

Viktor Balogh
Honored Contributor

Re: Audit trail doesn't rotate

Hi James,

 

Good point, this time I overlooked that one. The audsys output stated that the next trail is "none". This is a complicated case as I don't even have a remote access...

 

I will comment the SEC_AUDFILE and the SEC_SWITCH part and give a feedback...

 

Thanks,

Viktor

****
Unix operates with beer.
Viktor Balogh
Honored Contributor

Re: Audit trail doesn't rotate

James,

 

Thank you for pointing out the error in the audit configuration. Now the setup looks like this:

 

PRI_AUDFILE=/var/.audit/audtrail
PRI_SWITCH=10240
SEC_AUDFILE=*
SEC_SWITCH=0

 

It works as expected:

 

cldbpr1:/# audsys

auditing system is currently on

current trail: /var/.audit/audtrail.20110907_1105

next    trail: none

statistics-     afs Kb  used Kb  avail %    fs Kb  used Kb  avail %

current trail:    10240     7144       30 39321600  6513248       83

next    trail: none

 

auditing system is actively writing to 1 file(s)

cldbpr1:/#  ls -lrtd /var/.audit/audtrail* | tail

drwx------   2 root       sys             96 Sep  7 08:55 /var/.audit/audtrail.20110907_0855

drwx------   2 root       sys             96 Sep  7 09:10 /var/.audit/audtrail.20110907_0910

drwx------   2 root       sys             96 Sep  7 09:25 /var/.audit/audtrail.20110907_0925

drwx------   2 root       sys             96 Sep  7 09:40 /var/.audit/audtrail.20110907_0940

drwx------   2 root       sys             96 Sep  7 09:54 /var/.audit/audtrail.20110907_0954

drwx------   2 root       sys             96 Sep  7 10:07 /var/.audit/audtrail.20110907_1007

drwx------   2 root       sys             96 Sep  7 10:20 /var/.audit/audtrail.20110907_1020

drwx------   2 root       sys             96 Sep  7 10:36 /var/.audit/audtrail.20110907_1036

drwx------   2 root       sys             96 Sep  7 10:51 /var/.audit/audtrail.20110907_1051

drwx------   2 root       sys             96 Sep  7 11:05 /var/.audit/audtrail.20110907_1105

cldbpr1:/#

Thank you,

Viktor

****
Unix operates with beer.
Mohammed.Muneer
Advisor

Re: Audit trail doesn't rotate

Hi All,

 

just wanna know, how you will rotate the audit logs, since it is increasing in numbers. Any option available in 11.31 or manual script needs to be deploy.

 

 

 

Regards,

MMM

Viktor Balogh
Honored Contributor

Re: Audit trail doesn't rotate

Hello Mohammed,

 

The log rotation is done by the audit subsystem, but for deleting the old logs which have been already written to tape we use a find-rm oneliner combo from cron. As far as I know you could specify some script in the config file of the audit subsystem, so that at switching the old logs get archived and deleted.

 

Regards,

Viktor

****
Unix operates with beer.
Mohammed.Muneer
Advisor

Re: Audit trail doesn't rotate

Hi Viktor,

 

Actually my requirement is to write the audit logs in one file only and then rotate it accordingly.  there is no switching of audit logs.

 

So how to rotate the logs of below configuration ...

 

AUDITING=1
PRI_AUDFILE=/audit/.secure/etc
PRI_SWITCH=10240
SEC_AUDFILE=*
SEC_SWITCH=0
AUDEVENT_ARGS1=" -P -F   -e create -e delete -e moddac -e modaccess -e removable -e login -e admin -s creat -s mount -s umount -s reboot -s rename -s mkdir -s rmdir -s shutdown -s pset_destroy -s __pset_rtctl -s .perf_ctl -s .audit_tag_ctl -s .proc_sec_ctl"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDEVENT_ARGS4=" -p -f   -s .sendfile_by_name -s accept -s access -s acct -s acl -s adjtime -s bind -s chdir -s chmod -s chown -s chroot -s clock_settime -s close -s connect -s execv -s execve -s exit -s fattach -s fchdir -s semctl -s semget -s semop -s semtimedop -s send -s sendfile -s sendfile64 -s sendmsg -s sendto -s serialize -s setacl -s setaudid -s setaudproc -s umount2 -s unlink -s vfork -s vfsmount"
AUDOMON_ARGS=" -p 20 -t 1 -w 80"