1753435
Members
4579
Online
108794
Solutions
SOLVED
No you can't just audit one directory...
You can however monitor just one system call - in your case I'd suggest the rmdir system call.
1) Determine who has access to the directories in question (i.e. who apart from root could delete the directory)
2) Now you need to set up auditing to have minimum impact on your users...
ensure auditing is off:
audsys -f
now just monitor the users we care about - let's say you've determined that only the oracle and root user have permission to remove that directory:
audusr -D
will disable auditing for all users, and then:
audusr -a root -a oracle
will add it back for those users.
now for the system call:
audevent -E -S -p -f
will disable auditing for all events and system calls, and then
audevent -P -s rmdir
will add it back in for the rmdir system call.
3) Now turn auditing on - you'll need to specify where to put the log - I'd suggest a filesystem with pleny of space on it... You also need to specify how big the log can grow to... I can't beleive that rmdir will get called that often on your system, so maybe a 20MB filesize will be sufficient - each audit entry in the log consumes about 100 bytes, so you can get plenty of log entries in 20MB:
audsys -n -c /mydir/audlog20MB -s 20480
4) You can quickly test everythings working by doing something like:
mkdir /tmp/xyz
rmdir /tmp/xyz
as one of the audited users.
You can then see what shows up in the audit log using:
audisp /mydir/audlog20MB
You should see something like this:
# audisp /mydir/audlog20MB
All users are selected.
All events are selected.
All ttys are selected.
Selecting successful & failed events.
TIME PID E EVENT PPID AID RUID RGID EUID EGID TTY
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
090811 10:22:42 3264 S 137 3064 0 0 3 0 3 pts/0
[ Event=rmdir; User=root; Real Grp=sys; Eff.Grp=sys; ]
RETURN_VALUE 1 = 0;
PARAM #1 (file path) = 0 (cnode);
0x40000004 (dev);
9 (inode);
(path) = /tmp/xyz
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
090811 10:23:00 3269 S 137 3064 0 0 3 0 3 pts/0
[ Event=rmdir; User=root; Real Grp=sys; Eff.Grp=sys; ]
RETURN_VALUE 1 = 0;
PARAM #1 (file path) = 0 (cnode);
0x40000004 (dev);
9 (inode);
(path) = /tmp/xyz
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Now just wait for the directory to get deleted again, and then run the audisp command - from that you should be able to pick out the PID and PPID of the process doing the deletion - that may (or may not!) help you identify the root cause.
HTH
Duncan
I am an HPE Employee
You can however monitor just one system call - in your case I'd suggest the rmdir system call.
1) Determine who has access to the directories in question (i.e. who apart from root could delete the directory)
2) Now you need to set up auditing to have minimum impact on your users...
ensure auditing is off:
audsys -f
now just monitor the users we care about - let's say you've determined that only the oracle and root user have permission to remove that directory:
audusr -D
will disable auditing for all users, and then:
audusr -a root -a oracle
will add it back for those users.
now for the system call:
audevent -E -S -p -f
will disable auditing for all events and system calls, and then
audevent -P -s rmdir
will add it back in for the rmdir system call.
3) Now turn auditing on - you'll need to specify where to put the log - I'd suggest a filesystem with pleny of space on it... You also need to specify how big the log can grow to... I can't beleive that rmdir will get called that often on your system, so maybe a 20MB filesize will be sufficient - each audit entry in the log consumes about 100 bytes, so you can get plenty of log entries in 20MB:
audsys -n -c /mydir/audlog20MB -s 20480
4) You can quickly test everythings working by doing something like:
mkdir /tmp/xyz
rmdir /tmp/xyz
as one of the audited users.
You can then see what shows up in the audit log using:
audisp /mydir/audlog20MB
You should see something like this:
# audisp /mydir/audlog20MB
All users are selected.
All events are selected.
All ttys are selected.
Selecting successful & failed events.
TIME PID E EVENT PPID AID RUID RGID EUID EGID TTY
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
090811 10:22:42 3264 S 137 3064 0 0 3 0 3 pts/0
[ Event=rmdir; User=root; Real Grp=sys; Eff.Grp=sys; ]
RETURN_VALUE 1 = 0;
PARAM #1 (file path) = 0 (cnode);
0x40000004 (dev);
9 (inode);
(path) = /tmp/xyz
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
090811 10:23:00 3269 S 137 3064 0 0 3 0 3 pts/0
[ Event=rmdir; User=root; Real Grp=sys; Eff.Grp=sys; ]
RETURN_VALUE 1 = 0;
PARAM #1 (file path) = 0 (cnode);
0x40000004 (dev);
9 (inode);
(path) = /tmp/xyz
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Now just wait for the directory to get deleted again, and then run the audisp command - from that you should be able to pick out the PID and PPID of the process doing the deletion - that may (or may not!) help you identify the root cause.
HTH
Duncan
I am an HPE Employee
> You should take note that trusted system has
> been declared end of life and will not
> continue after HP-UX 11.31. You may wish to
> explore shadow password from
> http://software.hp.com for the password
> functionality and other options for system
auditing.
True - but the auditing subsystem is not going away with the rest of the trusted system functionality - in fact on 11.31 it works whether you are in trusted mode or not.
HTH
Duncan
I am an HPE Employee
> been declared end of life and will not
> continue after HP-UX 11.31. You may wish to
> explore shadow password from
> http://software.hp.com for the password
> functionality and other options for system
auditing.
True - but the auditing subsystem is not going away with the rest of the trusted system functionality - in fact on 11.31 it works whether you are in trusted mode or not.
HTH
Duncan
I am an HPE Employee