- Community Home
- >
- Servers and Operating Systems
- >
- Legacy
- >
- Operating System - Tru64 Unix
- >
- Re: auditing a specific file on Tru64
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-10-2007 10:27 AM
тАО07-10-2007 10:27 AM
I have a Tru64 system, and I have auditing is enabled on it, ( though I still have pbms in generating required reports), can I regardless of my current running auditing, make an auditing on a specific file on the system, to monitor which users accessed this file, is there like some special option I have to use with the "audit" for this file, or I should use some tools??
Thanks a lot.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-11-2007 01:37 AM
тАО07-11-2007 01:37 AM
Re: auditing a specific file on Tru64
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-11-2007 05:30 AM
тАО07-11-2007 05:30 AM
Re: auditing a specific file on Tru64
and the -x and -X options.
Ann
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-12-2007 06:05 AM
тАО07-12-2007 06:05 AM
Re: auditing a specific file on Tru64
After search,I tried the auditmask -x command, and here is the result I got:
#root@billing2# auditmask -x /tmp/alaa [:1|:0]
selection: on => on -- /tmp/alaa
Can't find event #
Can't find event This
Can't find event is
Can't find event a
Can't find event SAMPLE
Can't find event alias
Can't find event list.
Can't find event Your
Can't find event alias
Can't find event list
Can't find event should
Can't find event be
Can't find event built
Can't find event to
is somthing still missing here, or I issued the wrong command??
Thanks in advance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-12-2007 07:03 AM
тАО07-12-2007 07:03 AM
Re: auditing a specific file on Tru64
It seems I overwrote some existing audit policy my system already has.
I issued the following command:
#auditmask -x /tmp/alaa
thought that will audit the file /tmp/alaa.
however I ended up finding such process running:
root 1291907 1048577 0.0 07:37:22 ?? 0:00.02 /usr/sbin/auditd -l /var/audit/auditlog -c syslog -o overwrite
so I killed this process, but when I checked the file /tmp/alaa
I fouond it full of auditing records, so now it is contains the auditing recoreds instead of being audited.
any advise??
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-13-2007 02:54 AM
тАО07-13-2007 02:54 AM
Re: auditing a specific file on Tru64
but I have the following log message:
Quote:
Jul 12 22:01:07 billing2 vmunix: warning: /dev/audit closed (pid 1291907), but audit still enabled
what do you think??
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-13-2007 07:43 AM
тАО07-13-2007 07:43 AM
SolutionTo restart auditd with the original parameters try running:
# /sbin/init.d/audit stop
# /sbin/init.d/audit start
Please read the chapter on auditing in the Security Administration manual: http://h30097.www3.hp.com/docs/base_doc/DOCUMENTATION/V51B_HTML/ARH95ETE/TITLE.HTM
You may also want to consult with your system administrator about making these changes so that you don't interfere with the normal auditing done on the system.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-13-2007 09:18 AM
тАО07-13-2007 09:18 AM
Re: auditing a specific file on Tru64
I really appreciate your help, seems things are going worse with me.
I became suddenly the system administrator, now the users are complaining they cant log in to the system, after they enter user name and passowrd, the system just display their last log in info, and dsnt log them to the session. However As a root Im still able to log in.
I tried stop the audit process, it froze for like 30 mnts and didnt stop it.
Do you have any idea why other users are not being able to log in??
Im sure that I used the -x option with the auditmask command not the "-X"
Thanks again for your help and concern.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-16-2007 09:29 AM
тАО07-16-2007 09:29 AM
Re: auditing a specific file on Tru64
#/usr/sbin/auditd -l /var/audit/auditlog -c syslog -o overwrite
But, it's hard to know if this will fix the problem with users being able to log in or not. Depending on how much grief you're getting from users not being able to log in VS how much grief you'd get if the system went down, I'd be tempted to just reboot the system and see how things go from there.
Ann