topic Audit directory removal in Operating System - HP-UX

Audit directory removal

alex1982 — Tue, 11 Aug 2009 07:22:46 GMT

Hello everybody.

We have installed Oracle on an HP-UX 11.23 operating system.The system is a trusted system.
The last month the cdump directory in the Oracle installation directory, has been removed twice unexpectedly , once in two weeks.
We have recreated the directory manually.

Auditing is not turned on in the system, in order to avoid performance issues.

I am new to HP-UX and my question is :
Can i audit only the cdump directory and all the actions that modify this directory ?

Any help would be appreciated.

Re: Audit directory removal

Duncan Edmonstone — Tue, 11 Aug 2009 08:42:53 GMT

No you can't just audit one directory...

You can however monitor just one system call - in your case I'd suggest the rmdir system call.

1) Determine who has access to the directories in question (i.e. who apart from root could delete the directory)

2) Now you need to set up auditing to have minimum impact on your users...

ensure auditing is off:

audsys -f

now just monitor the users we care about - let's say you've determined that only the oracle and root user have permission to remove that directory:

audusr -D

will disable auditing for all users, and then:

audusr -a root -a oracle

will add it back for those users.

now for the system call:

audevent -E -S -p -f

will disable auditing for all events and system calls, and then

audevent -P -s rmdir

will add it back in for the rmdir system call.

3) Now turn auditing on - you'll need to specify where to put the log - I'd suggest a filesystem with pleny of space on it... You also need to specify how big the log can grow to... I can't beleive that rmdir will get called that often on your system, so maybe a 20MB filesize will be sufficient - each audit entry in the log consumes about 100 bytes, so you can get plenty of log entries in 20MB:

audsys -n -c /mydir/audlog20MB -s 20480

4) You can quickly test everythings working by doing something like:

mkdir /tmp/xyz
rmdir /tmp/xyz

as one of the audited users.

You can then see what shows up in the audit log using:

audisp /mydir/audlog20MB

You should see something like this:

# audisp /mydir/audlog20MB
All users are selected.
All events are selected.
All ttys are selected.
Selecting successful & failed events.
TIME PID E EVENT PPID AID RUID RGID EUID EGID TTY

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
090811 10:22:42 3264 S 137 3064 0 0 3 0 3 pts/0
[ Event=rmdir; User=root; Real Grp=sys; Eff.Grp=sys; ]

RETURN_VALUE 1 = 0;
PARAM #1 (file path) = 0 (cnode);
0x40000004 (dev);
9 (inode);
(path) = /tmp/xyz
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
090811 10:23:00 3269 S 137 3064 0 0 3 0 3 pts/0
[ Event=rmdir; User=root; Real Grp=sys; Eff.Grp=sys; ]

RETURN_VALUE 1 = 0;
PARAM #1 (file path) = 0 (cnode);
0x40000004 (dev);
9 (inode);
(path) = /tmp/xyz
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Now just wait for the directory to get deleted again, and then run the audisp command - from that you should be able to pick out the PID and PPID of the process doing the deletion - that may (or may not!) help you identify the root cause.

HTH

Duncan

Re: Audit directory removal

Steven E. Protter — Tue, 11 Aug 2009 09:24:13 GMT

Shalom,

You should take note that trusted system has been declared end of life and will not continue after HP-UX 11.31. You may wish to explore shadow password from http://software.hp.com for the password functionality and other options for system auditing.

SEP

Re: Audit directory removal

Duncan Edmonstone — Tue, 11 Aug 2009 09:30:18 GMT

> You should take note that trusted system has
> been declared end of life and will not
> continue after HP-UX 11.31. You may wish to
> explore shadow password from
> http://software.hp.com for the password
> functionality and other options for system
auditing.

True - but the auditing subsystem is not going away with the rest of the trusted system functionality - in fact on 11.31 it works whether you are in trusted mode or not.

HTH

Duncan

Re: Audit directory removal

alex1982 — Tue, 11 Aug 2009 10:55:03 GMT

Thank you .
I will try your solution now.