topic Re: Audit trail/log examples? in Operating System - HP-UX

Audit trail/log examples?

A. Daniel King_1 — Wed, 11 Sep 2002 13:55:51 GMT

Hi, folks.

Could anyone please point me to some sample output from process auditing?

I'm looking at turning this on, but I'd like to know a little better what I can expect to see. I'm hoping that this will provide a nice compliment (replacement?) for process accounting - and help me better answer the question, "What was running at the time?"

Thanks.

Re: Audit trail/log examples?

harry d brown jr — Wed, 11 Sep 2002 14:08:26 GMT

This thread has a great answer from JRF:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x33b9854994d9d4118fef0090279cd0f9,00.html

live free or die
harry

Re: Audit trail/log examples?

harry d brown jr — Wed, 11 Sep 2002 14:12:31 GMT

Actually I should say ANSWERS as in multiple!

live free or die
harry

Re: Audit trail/log examples?

A. Daniel King_1 — Wed, 11 Sep 2002 14:17:33 GMT

Ahhh. The very docs I used to set up _accouting_. I am interested more specifically in auditing, i.e., man audsys.

Re: Audit trail/log examples?

Darren Prior — Wed, 11 Sep 2002 14:49:10 GMT

Hi,

I've attached a text file showing output from the audisp command with a minimal amount of events being audited. The audevent command at the top of the file shows what was setup. I then attempted to login with an invalid account, followed by logging in and then chmod'ing a file.

If you're after documentation for auditing I'd start with the audit(5) man page, also http://docs.hp.com has further info.

regards,

Darren.

Re: Audit trail/log examples?

A. Daniel King_1 — Wed, 11 Sep 2002 16:44:38 GMT

Fantastic! Can the user definable categories can easily be set to capture all processes?

Re: Audit trail/log examples?

doug hosking — Thu, 12 Sep 2002 03:02:02 GMT

Capturing all records for all processes
is easy. 'audevent -PFE' will select all record types for both system calls and self-auditing records. You don't have to do anything special (such as with audusr) to select all users. It would be a good idea to be sure you are current on patches for inetd and audisp. Also keep in mind that auditing everything can chew up an impressive amount of disk space. Be careful which file system you use to hold the audit logs, so you don't create full disk headaches for yourself.

One more caveat:
Processes may not be properly audited unless they are started AFTER auditing is turned on.
This is as designed but can be confusing.
See /etc/rc.config.d/auditing to enable auditing automatically as the system boots.

Re: Audit trail/log examples?

Anonymous — Thu, 12 Sep 2002 11:30:34 GMT

in addition to Doug:
the auditing switches to a 2nd logfile upon a certain (configurable) size. If this is full too this could mean that events cannot be logged anymore. To prevent this root is the only user who can still work in this situation.

take care, Tom

Re: Audit trail/log examples?

A. Daniel King_1 — Thu, 12 Sep 2002 14:08:00 GMT

Could you define - or get me in the ballpark - for an "impressive amount of disk space"?

Tens/Hundreds of GB? I'm trying to get a feel for how much space I'd need for a week's worth of information on a very busy system.

Thanks, all!

Re: Audit trail/log examples?

Deshpande Prashant — Thu, 12 Sep 2002 14:16:20 GMT

HI
with auditing turned on, the space required will vary, based on number of events/users audited and events occuring.
Prefer creating a seperate VG/file system for auditing and mount/link in /.secure/etc

Thanks.
Prashant.

Re: Audit trail/log examples?

doug hosking — Thu, 12 Sep 2002 15:09:09 GMT

Questions re disk space are hard to answer,
since it depends so much on machine size/speed/load, applications you run, which users/events are selected for auditing, etc. Planning for something in the range of hundreds of megabytes to 5 or so GB on a
dedicated logical volume is probably a good place to start. Once you get some real data for your system you can adjust up or down as needed.