topic Re: Help On Trusted Computing Base Audit Files in Operating System - HP-UX

Help On Trusted Computing Base Audit Files

G V R Shankar — Fri, 19 Dec 2008 12:01:33 GMT

Hi,

I had a requirement to enable auditing only on root account. The system was already trusted. I performed the following steps.

mkdir -p /var/.secure/etc/ /var/adm/crash/.secure/etc/
chown root:root /var/adm/crash/.secure/etc/ /var/.secure/etc/
chmod 700 /var/adm/crash/.secure/etc/ /var/.secure/etc/

Updated /etc/rc.config.d/auditing file with the following lines

AUDITING=1
PRI_AUDFILE=/var/.secure/etc/audfile1
PRI_SWITCH=5000
SEC_AUDFILE=/var/adm/crash/.secure/etc/audfile2
SEC_SWITCH=5000
AUDEVENT_ARGS1=" -P -F -e moddac -e login -e admin"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDEVENT_ARGS4=""
AUDOMON_ARGS=" -p 20 -t 1 -w 90"

Start the auditing
/sbin/init.d/auditing start

Disabled auditing of all users and enable auditing for root account

/usr/sbin/audusr -D
/usr/sbin/audusr -a root

Now the question is, How can I maintain the following audit log files,

/var/.secure/etc/audfile1
/var/adm/crash/.secure/etc/audfile2

Once the switch happens from Primary to secondary, how can I bring it back to primary.

Could you please provide me a script, so that I can put it in root cron.

Thank You.

Ravi.

Re: Help On Trusted Computing Base Audit Files

TTr — Fri, 19 Dec 2008 14:44:40 GMT

Why bring it back to primary? Normally you save and empty the primary and let it be used again later on.

Using primary and secondary is NOT a good idea. They are rotating logs so the correct terminology is "current" and "next". The trick is to identify which of the two files is current and which is next.

From the audsys man page: "when the current file grows ... the auditing system switches to the next file by setting the current to to next and setting next to null"

You have to use the audsys command to determine if a log file switch has occured from the primary to the secondary. Examine the exit code of the audsys command. If a log switch has occured, the exit code is zero.

if a switch has occured then use audsys again to determine which of the two files is the current one.

Then make a copy of the OTHER file if you want to save a copy of it and designate it as the new next file with its size using the audsys with the -x and -z options

Re: Help On Trusted Computing Base Audit Files

TTr — Fri, 19 Dec 2008 15:09:16 GMT

I don't use auditing anymore but I just found the script I was using. I can not post it because I was using "audfile1" and "audfile2" for the log files and my logic to determine the switching was based on the numbers "1" and "2" at the end of the file names.

But the logic is as fiollows:

1. audsys | grep next | grep none
2. switch=$?
(Run audsys and check if the "next" log file is set to "none". This means that a log switch has occured from one file to the other. Auditing now has no "next" file. If the "current" file fills up, auditing will stop)
3. if [ "$switch" = 0 ] then

3a. current=$(audsys | grep "current file" | head -1 ****
(you may need to use "cut" where the **** are. My filenames and paths were different so I had to cut based on that. As I said i don't run it anymore so I don't know what the output of audsys looks like)
3b. if current=PRI_AUDFILE then next=SEC_AUDFILE else next=PRI_AUFILE
3c. cp $nextfile /some/path/audfile.`date "+%H%M-%d%b%y"`
(make a copy of the next file with a time stamp)
3d. > $nextfile
(empty the next file)
3e. audsys -x $nextfile -z 5000
(change the "next" file from null to the unused file)

You need to schedule this in cron based on the size of the log files and activity on the server.

Re: Help On Trusted Computing Base Audit Files

TTr — Fri, 19 Dec 2008 15:19:10 GMT

Line 3b should have "nextfile" instead of "next" in both places.

Re: Help On Trusted Computing Base Audit Files

G V R Shankar — Sun, 21 Dec 2008 09:38:14 GMT

Hi TTr,

Thank You very much for the Logic. I could make a script of it.

Following is the audsys o/p.

#audsys
auditing system is currently on
current file: /audit1/audfile1
next file: none
statistics- afs Kb used Kb avail % fs Kb used Kb avail %
current file: 5000 854876 -16997 5242880 873823 83
next file: none

I have run the following command
#audsys -x /audit2/audfile2 -z 5000

Following is the audsys o/p.

#audsys
auditing system is currently on
current file: /audit2/audfile2
next file: none
statistics- afs Kb used Kb avail % fs Kb used Kb avail %
current file: 5000 32 99 5242880 18455 100
next file: none

The "next file" is still set to none and the "current file" got changed to /audit2/audfile2

I was in a impression, that when we run the following command

audsys -x /audit2/audfile2 -z 5000

It will actually set the "next file", not the "current file"

Correct me if I am wrong.

Ravi.

Re: Help On Trusted Computing Base Audit Files

TTr — Sun, 21 Dec 2008 18:22:56 GMT

Did you empty (null out) the "next" file before running the "audsys -x ..." command?
See the man page. When setting the next file with the "-x" option the specified file must be empty or nonexistent.

Re: Help On Trusted Computing Base Audit Files

G V R Shankar — Tue, 23 Dec 2008 02:41:22 GMT

Hi TTr,

I have nullified the file /audit1/audfile1. If not, the system would fire an eror message, stating that the file is not empty.

Cheers,

Ravi.

Re: Help On Trusted Computing Base Audit Files

TTr — Tue, 23 Dec 2008 16:02:36 GMT

As I said before I no longer run auditing and can not test what you are saying. I only ran auditing for a little bit and created a script to switch the log files.
I looked for patches for the audsys command but did not find any.
Verify that the correct files are assigned to the "current" and "next" file handles. Verify that your logic detects if a log switch has ocurred correctly.
Try switching the files manually to see if "next" is set correctly from "none" to the right file.
Add echo statements in your script to verify the correct values are assigned to the variables.