topic Re: auditing the system in Operating System - HP-UX

auditing the system

Venkat_11 — Tue, 03 Jan 2006 14:24:20 GMT

We have a server and we turn on auditing on that server.
And the output for audsys is as follows

audsys
auditing system is currently on
current file: /aud/audfile1
next file: /aud/audfile2
statistics- afs Kb used Kb avail % fs Kb used Kb avail %
current file: 1000 0 100 2097152 1614 100
next file: 1000 0 100 2097152 1614 100

But when i observed those particular files they are 0 byte files.
ls -l
total 0
-rw------- 1 root sys 0 Nov 10 18:43 audfile1
-rw------- 1 root sys 0 Nov 10 18:43 audfile2

Why these files are not getting update with auditrecords?

FYI syslog.conf file is like this

mail.debug /var/adm/syslog/mail.log
*.info;mail.none;auth.none /var/adm/syslog/syslog.log
*.alert /dev/console
*.alert root
*.emerg *
auth.info /var/adm/syslog/auth.log
and auth.log file is filling with audit records.

Does auth.info in syslog.conf taking the job of auditing. Can some body please explain me the difference between these two auditing files.

Thanks In Advance

Venkat

Re: auditing the system

Jeff Schussele — Tue, 03 Jan 2006 14:40:29 GMT

Hi Venkat,

Normally the audit files are listed in /etc/rc.config.d/auditing as follows:

PRI_AUDFILE=/path/to/audfile1
SEC_AUDFILE=/path/to/audfile2

Also you spell out the max filesizes with

PRI_SWITCH=153600
SEC_SWITCH=153600

And of course auditing has to be turned on with

AUDITING=1

And you can specify the event arguments with

AUDEVENT_ARGS1=" 1st Args listed here"
AUDEVENT_ARGS2=" 2nd args listed here"
etc.....

And the audomon args as well

AUDOMON_ARGS=" Mon args here"

You do *not* list audit.info *specifically* in syslog.conf.

HTH,
Jeff

Re: auditing the system

Steven E. Protter — Tue, 03 Jan 2006 14:42:53 GMT

Shalom Venkat,

Seems that auditing is merely disabled, as in not runing.

The only thing you should ever see in syslog is when the log files switch, or if they fail to switch when one gets full.

SEP

Re: auditing the system

Venkat_11 — Tue, 03 Jan 2006 14:54:44 GMT

The /etc/rc.confid.d/auditing looks like this
AUDITING=0
PRI_AUDFILE=/.secure/etc/audfile1
PRI_SWITCH=1000
SEC_AUDFILE=/.secure/etc/audfile2
SEC_SWITCH=1000
AUDEVENT_ARGS1="-P -F -e moddac -e login -e admin"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDOMON_ARGS="-p 20 -t 1 -w 90"

But audsys showing like

auditing system is currently on
current file: /aud/audfile1
next file: /aud/audfile2
statistics- afs Kb used Kb avail % fs Kb used Kb avail %
current file: 1000 0 100 2097152 1614 100
next file: 1000 0 100 2097152 1614 100

so what steps i have to take to update the /etc/rc.config.d/auditing and how restart the services so that it will take effect.

Thanks

Venkat

Re: auditing the system

Jeff_Traigle — Tue, 03 Jan 2006 15:09:28 GMT

Just edit the file so AUDITING=1. To start auditing after that change, just run /sbin/init.d/auditing.

However, you also will want to change the path for the second audit log. It's purpose is to switch if the first log can no longer be written to (file system fills up). If it's on the same file system as the first, you could have some major problems.

In reality, you probably want to change both paths actually. Default is set to write to the root file system, which you certainly don't want to accidentally fill up with audit logs. Ideally, you probably want to create two new file systems that you can mount and use for the audit log locations.

Re: auditing the system

Jeff_Traigle — Tue, 03 Jan 2006 15:13:49 GMT

Oops... That should have said to run "/sbin/init.d/auditing start"

Re: auditing the system

Venkat_11 — Tue, 03 Jan 2006 15:32:30 GMT

Hi Jeff,
First of all i would like to say thanks for your quick and good responces.

I set the auditing file like this

AUDITING=1
PRI_AUDFILE=/aud/audfile1
PRI_SWITCH=995000
SEC_AUDFILE=/aud/audfile2
SEC_SWITCH=995000
AUDEVENT_ARGS1="-P -F -e moddac -e login -e admin"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDOMON_ARGS="-p 20 -t 1 -w 90"
"auditing" 75 lines, 3055 characters

we have a FS /aud of 2gb. My question is what will happen when both the PRI and SEC get filled up..?
And what AUDEVENT_ARGS and AUDOMON_ARGS does and do i need to update them with any arguments?

And do i need to remove
auth.info /var/adm/syslog/auth.log
from syslog.conf.

Thanks A lot for Answers

Venkat

Re: auditing the system

Jeff_Traigle — Tue, 03 Jan 2006 15:57:53 GMT

As I understand it, having both audit files in the same file system can be very detrimental. If the first file fills to the point that the file system is full, there will be no way for the system to write to the second log file. This can apparently cause some processes to hang since they won't be able to write audit information.

Re: auditing the system

Jeff_Traigle — Tue, 03 Jan 2006 16:04:11 GMT

As for the other questions...

I'm not sure about the ARGS settings. I haven't actually enabled auditing on any systems so haven't taken the time to read man pages for audevent and audmon. I'd recommend you read those before you make changes to the default arhuments provided.

As for removing the auth.info line from syslog.conf, it's not necessary. It's nice at times to have your authentication syslog entries in a separate file where they are easily analyzed without having to wade through all the other stuff that typically gets written to syslog. Personally, I'd keep it the way you have it set up currently.

Re: auditing the system

Venkat_11 — Tue, 03 Jan 2006 16:11:39 GMT

Hi,

Even both the log files are sitting under the same file system /aud, in the auditing file i mentioned
PRI_SWITCH=995000 that means it has to switch to secondary log gile once after the primary log reaches 970MB, where the total FS is 2GB in size.

After all changes made to /etc/rc.config.d/auditing file when i tried to start the auditing services i am getitng the following error

/sbin/init.d/auditing start
auditing system is already on, input arguments ignored
ERROR CODE 8

I restarted the /sbin/init.d/auditing stop and start. After that i observed that /aud/audfile1 is updating with some stuff.
When i opened that file it showing up weird charaters like this

^DM-^?M-^?M-^?M-^?M-^?M-^?M-^?M-^?CM-:M-gM-.>^P9^P ^?^?!M-^PCM-:M-gM-.>^Q$^C^\>^PM-^?M-^?M-^?M-^?M-^?M-^?
M-^?M-^?CM-:M-gM-.>^Q9^PM-^P^?^?!@CM-:M-gM-

Can any body advice why it showing like this
Thanks in Advance

Venkat

Re: auditing the system

Jeff_Traigle — Tue, 03 Jan 2006 16:17:05 GMT

As long as nothing else is written to that file system, the size limit settings for the log files you specified should keep you out of trouble with auditing hanging any processes.

The audit files are binary. Use audisp to query the logs.

Re: auditing the system

Venkat_11 — Tue, 03 Jan 2006 17:44:56 GMT

Hi Jeff,
I appreciate your help to make auditing work.
Thanks A Lot.

When i say
#audisp audfile1 i am getting output like this.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
060103 14:58:16 13151 S 57 1100 -1 0 0 0 0 ?????
[ Event=utssys; User=????????; Real Grp=root; Eff.Grp=root; ]

RETURN_VALUE 1 = 0;
PARAM #1 (addr of char) = 2139037936
PARAM #2 (int) = 0
PARAM #3 (int) = 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
060103 14:58:16 13151 S 57 1100 -1 0 0 0 0 ?????
[ Event=utssys; User=????????; Real Grp=root; Eff.Grp=root; ]

RETURN_VALUE 1 = 0;
PARAM #1 (addr of char) = 1073769712
PARAM #2 (int) = 64
PARAM #3 (int) = 5
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I didnt understand how to analise this output. WHy it showing up the user account as ?????? and what does rest of the values. Can i get any document to refer regarding this output.

Thanks A Lot