Simpler Navigation for Servers and Operating Systems
Completed: a much simpler Servers and Operating Systems section of the Community. We combined many of the older boards, so you won't have to click through so many levels to get at the information you need. Check the consolidated boards here as many sub-forums are now single boards.
Operating System - Tru64 Unix
cancel
Showing results for 
Search instead for 
Did you mean: 

File access auditing

SOLVED
Go to solution
Harmanjit_1
Frequent Advisor

File access auditing

Is there is any way in auditing or accounting in Tru64 V5.1B that if anyone changes any file, I can get alert or a log can be generated mentioning who has accessed, changed at what time.

Thanks
8 REPLIES
Ajay Agarwal
Frequent Advisor

Re: File access auditing

You can use audit tool for auditing file access. Check the man pages for audit, auditd & auditmask.
Harmanjit_1
Frequent Advisor

Re: File access auditing

Hi,

Thanks for your reply. I have configured auditing via auditconfig and tried to set audit flag with auditmask -x filename

Now, when i am checking the auditing under /var/audit/logxxx via string, I am not able to get the event logged.

I am not sure, If I am doing write. Can you pls. tell what should be step to set audit for a file and how to get alert or log.
Ivan Ferreira
Honored Contributor

Re: File access auditing

You should use the audit_tool command to format the log file.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Ann Majeske
Honored Contributor
Solution

Re: File access auditing

You can audit accesses to a single file using the object selection option on the Audit subsystem. You can read the audit logs using either the audit_tool or the audit GUI, the audit logs are in a binary format, so other methods won't work. See the Security Administration manual and the man pages for auditmask, auditd, and audit_tool for more information.
Mark Poeschl_2
Honored Contributor

Re: File access auditing

Also, you'll need to make sure that the 'write', 'pwrite', and 'writev' audit events are enabled. I don't believe they are enabled by default.
Harmanjit_1
Frequent Advisor

Re: File access auditing

1) I am not able to see any option named "'write', 'pwrite', and 'writev' " while configurating audit.

2) I am getting some output for audit when I am trying to read log file using audit_tool but cannot get details for particular file.

3) I have set auditing for /etc/motd to test. and modified permission, content etc.

when I am using audit_tool -U root audit.xx.log, It gives me output for root user but cannot able to find anything related to /etc/motd.

May be I am doing wrong so, Can anyone explain with example with some file.

thanks
Ann Majeske
Honored Contributor

Re: File access auditing

1) I am not able to see any option named "'write', 'pwrite', and 'writev' " while configurating audit.

** See the Security Administration manual, section 3.4.3 "Enabling Audit Events"

2) I am getting some output for audit when I am trying to read log file using audit_tool but cannot get details for particular file.

** Try filtering with the -/ or the -s option with the file name. See the man page for audit_tool for a description of these options. You might also look at Section 3.5 "Generating and Displaying Audit Reports" in the Security Administration guide.

3) I have set auditing for /etc/motd to test. and modified permission, content etc.
when I am using audit_tool -U root audit.xx.log, It gives me output for root user but cannot able to find anything related to /etc/motd.

** Probably because you're not auditing the proper events. See the Security Administration manual section 3.4.6 "Auditing File Operations".
Harmanjit_1
Frequent Advisor

Re: File access auditing

Hi All,

Thanks for your kind response. I am able to see auditing.

regards