HPE Community
Operating System - Tru64 Unix
1752273 Members
4819 Online
108786 Solutions
New Discussion юеВ

Re: File access auditing

 
SOLVED
Go to solution
Harmanjit_1
Frequent Advisor

тАО03-01-2006 01:52 PM

тАО03-01-2006 01:52 PM

File access auditing

Is there is any way in auditing or accounting in Tru64 V5.1B that if anyone changes any file, I can get alert or a log can be generated mentioning who has accessed, changed at what time.

Thanks
0 Kudos
8 REPLIES 8
Ajay Agarwal
Frequent Advisor

тАО03-01-2006 03:57 PM

тАО03-01-2006 03:57 PM

Re: File access auditing

You can use audit tool for auditing file access. Check the man pages for audit, auditd & auditmask.
0 Kudos
Harmanjit_1
Frequent Advisor

тАО03-01-2006 06:33 PM

тАО03-01-2006 06:33 PM

Re: File access auditing

Hi,

Thanks for your reply. I have configured auditing via auditconfig and tried to set audit flag with auditmask -x filename

Now, when i am checking the auditing under /var/audit/logxxx via string, I am not able to get the event logged.

I am not sure, If I am doing write. Can you pls. tell what should be step to set audit for a file and how to get alert or log.
0 Kudos
Ivan Ferreira
Honored Contributor

тАО03-01-2006 10:58 PM

тАО03-01-2006 10:58 PM

Re: File access auditing

You should use the audit_tool command to format the log file.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Ann Majeske
Honored Contributor

тАО03-02-2006 04:03 AM

тАО03-02-2006 04:03 AM

Solution

Re: File access auditing

You can audit accesses to a single file using the object selection option on the Audit subsystem. You can read the audit logs using either the audit_tool or the audit GUI, the audit logs are in a binary format, so other methods won't work. See the Security Administration manual and the man pages for auditmask, auditd, and audit_tool for more information.
0 Kudos
Mark Poeschl_2
Honored Contributor

тАО03-02-2006 04:35 AM

тАО03-02-2006 04:35 AM

Re: File access auditing

Also, you'll need to make sure that the 'write', 'pwrite', and 'writev' audit events are enabled. I don't believe they are enabled by default.
0 Kudos
Harmanjit_1
Frequent Advisor

тАО03-03-2006 04:39 PM

тАО03-03-2006 04:39 PM

Re: File access auditing

1) I am not able to see any option named "'write', 'pwrite', and 'writev' " while configurating audit.

2) I am getting some output for audit when I am trying to read log file using audit_tool but cannot get details for particular file.

3) I have set auditing for /etc/motd to test. and modified permission, content etc.

when I am using audit_tool -U root audit.xx.log, It gives me output for root user but cannot able to find anything related to /etc/motd.

May be I am doing wrong so, Can anyone explain with example with some file.

thanks
0 Kudos
Ann Majeske
Honored Contributor

тАО03-06-2006 08:56 AM

тАО03-06-2006 08:56 AM

Re: File access auditing

1) I am not able to see any option named "'write', 'pwrite', and 'writev' " while configurating audit.

** See the Security Administration manual, section 3.4.3 "Enabling Audit Events"

2) I am getting some output for audit when I am trying to read log file using audit_tool but cannot get details for particular file.

** Try filtering with the -/ or the -s option with the file name. See the man page for audit_tool for a description of these options. You might also look at Section 3.5 "Generating and Displaying Audit Reports" in the Security Administration guide.

3) I have set auditing for /etc/motd to test. and modified permission, content etc.
when I am using audit_tool -U root audit.xx.log, It gives me output for root user but cannot able to find anything related to /etc/motd.

** Probably because you're not auditing the proper events. See the Security Administration manual section 3.4.6 "Auditing File Operations".
0 Kudos
Harmanjit_1
Frequent Advisor

тАО03-07-2006 12:18 AM

тАО03-07-2006 12:18 AM

Re: File access auditing

Hi All,

Thanks for your kind response. I am able to see auditing.

regards
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.