topic audit log in Operating System - HP-UX

audit log

EAB — Wed, 23 Mar 2005 05:45:25 GMT

Hi ,
our system is hp-ux 11.23
we already convert the system to trust system , and apply audit log for some users & events , but we have a concern about the audit log file ,, if the user delete any file it is gave onle event is rmdir but doesn't gave us the file name which is deleted ,,, how we can get this information
the following is an example for delete file
050322 17:33:34 20130 S 137 19348 15 0 3 0 3 pts/tb
[ Event=rmdir; User=manal; Real Grp=sys; Eff.Grp=sys; ]

RETURN_VALUE 1 = 0;
PARAM #1 (file path) = 0 (cnode);
0x40000008 (dev);
10032 (inode);
(path) = /var/sam/core

Re: audit log

Peter Godron — Wed, 23 Mar 2005 06:39:26 GMT

EAB,
according to:
http://docs.hp.com/en/B2355-90121/ch02s05.html#tab2-1
rm is not a seperately auditable event.
So I assume if you can not add it from the list of audited system calls, you are stuck with the details you currently get.
Regards

Re: audit log

EAB — Wed, 23 Mar 2005 06:49:30 GMT

so how can i know the file which is deleted by the user...
the audit log doen't contain any information about the deleted file or the file which is changed ....!!!
is there any way to get this information

Re: audit log

Peter Godron — Thu, 31 Mar 2005 02:16:10 GMT

EAB,
just to confirm by earlier response:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=643941

This is perhaps not the cleanest way, but if you wrap a script around the rm command to write the name of the file to be deleted to a file, together with the user calling the rm command, you would get your audit log.

Regards