- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Audit directory removal
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-11-2009 12:22 AM
тАО08-11-2009 12:22 AM
We have installed Oracle on an HP-UX 11.23 operating system.The system is a trusted system.
The last month the cdump directory in the Oracle installation directory, has been removed twice unexpectedly , once in two weeks.
We have recreated the directory manually.
Auditing is not turned on in the system, in order to avoid performance issues.
I am new to HP-UX and my question is :
Can i audit only the cdump directory and all the actions that modify this directory ?
Any help would be appreciated.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-11-2009 01:42 AM
тАО08-11-2009 01:42 AM
SolutionYou can however monitor just one system call - in your case I'd suggest the rmdir system call.
1) Determine who has access to the directories in question (i.e. who apart from root could delete the directory)
2) Now you need to set up auditing to have minimum impact on your users...
ensure auditing is off:
audsys -f
now just monitor the users we care about - let's say you've determined that only the oracle and root user have permission to remove that directory:
audusr -D
will disable auditing for all users, and then:
audusr -a root -a oracle
will add it back for those users.
now for the system call:
audevent -E -S -p -f
will disable auditing for all events and system calls, and then
audevent -P -s rmdir
will add it back in for the rmdir system call.
3) Now turn auditing on - you'll need to specify where to put the log - I'd suggest a filesystem with pleny of space on it... You also need to specify how big the log can grow to... I can't beleive that rmdir will get called that often on your system, so maybe a 20MB filesize will be sufficient - each audit entry in the log consumes about 100 bytes, so you can get plenty of log entries in 20MB:
audsys -n -c /mydir/audlog20MB -s 20480
4) You can quickly test everythings working by doing something like:
mkdir /tmp/xyz
rmdir /tmp/xyz
as one of the audited users.
You can then see what shows up in the audit log using:
audisp /mydir/audlog20MB
You should see something like this:
# audisp /mydir/audlog20MB
All users are selected.
All events are selected.
All ttys are selected.
Selecting successful & failed events.
TIME PID E EVENT PPID AID RUID RGID EUID EGID TTY
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
090811 10:22:42 3264 S 137 3064 0 0 3 0 3 pts/0
[ Event=rmdir; User=root; Real Grp=sys; Eff.Grp=sys; ]
RETURN_VALUE 1 = 0;
PARAM #1 (file path) = 0 (cnode);
0x40000004 (dev);
9 (inode);
(path) = /tmp/xyz
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
090811 10:23:00 3269 S 137 3064 0 0 3 0 3 pts/0
[ Event=rmdir; User=root; Real Grp=sys; Eff.Grp=sys; ]
RETURN_VALUE 1 = 0;
PARAM #1 (file path) = 0 (cnode);
0x40000004 (dev);
9 (inode);
(path) = /tmp/xyz
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Now just wait for the directory to get deleted again, and then run the audisp command - from that you should be able to pick out the PID and PPID of the process doing the deletion - that may (or may not!) help you identify the root cause.
HTH
Duncan
I am an HPE Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-11-2009 02:24 AM
тАО08-11-2009 02:24 AM
Re: Audit directory removal
You should take note that trusted system has been declared end of life and will not continue after HP-UX 11.31. You may wish to explore shadow password from http://software.hp.com for the password functionality and other options for system auditing.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-11-2009 02:30 AM
тАО08-11-2009 02:30 AM
Re: Audit directory removal
> been declared end of life and will not
> continue after HP-UX 11.31. You may wish to
> explore shadow password from
> http://software.hp.com for the password
> functionality and other options for system
auditing.
True - but the auditing subsystem is not going away with the rest of the trusted system functionality - in fact on 11.31 it works whether you are in trusted mode or not.
HTH
Duncan
I am an HPE Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-11-2009 03:55 AM
тАО08-11-2009 03:55 AM
Re: Audit directory removal
I will try your solution now.