cancel
Showing results for 
Search instead for 
Did you mean: 

File access auditing

SOLVED
Go to solution
Harmanjit_1
Frequent Advisor

File access auditing

Is there is any way in auditing or accounting in Tru64 V5.1B that if anyone changes any file, I can get alert or a log can be generated mentioning who has accessed, changed at what time.

Thanks
8 REPLIES
Ajay Agarwal
Frequent Advisor

Re: File access auditing

You can use audit tool for auditing file access. Check the man pages for audit, auditd & auditmask.
Harmanjit_1
Frequent Advisor

Re: File access auditing

Hi,

Thanks for your reply. I have configured auditing via auditconfig and tried to set audit flag with auditmask -x filename

Now, when i am checking the auditing under /var/audit/logxxx via string, I am not able to get the event logged.

I am not sure, If I am doing write. Can you pls. tell what should be step to set audit for a file and how to get alert or log.
Ivan Ferreira
Honored Contributor

Re: File access auditing

You should use the audit_tool command to format the log file.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Ann Majeske
Honored Contributor
Solution

Re: File access auditing

You can audit accesses to a single file using the object selection option on the Audit subsystem. You can read the audit logs using either the audit_tool or the audit GUI, the audit logs are in a binary format, so other methods won't work. See the Security Administration manual and the man pages for auditmask, auditd, and audit_tool for more information.
Mark Poeschl_2
Honored Contributor

Re: File access auditing

Also, you'll need to make sure that the 'write', 'pwrite', and 'writev' audit events are enabled. I don't believe they are enabled by default.
Harmanjit_1
Frequent Advisor

Re: File access auditing

1) I am not able to see any option named "'write', 'pwrite', and 'writev' " while configurating audit.

2) I am getting some output for audit when I am trying to read log file using audit_tool but cannot get details for particular file.

3) I have set auditing for /etc/motd to test. and modified permission, content etc.

when I am using audit_tool -U root audit.xx.log, It gives me output for root user but cannot able to find anything related to /etc/motd.

May be I am doing wrong so, Can anyone explain with example with some file.

thanks
Ann Majeske
Honored Contributor

Re: File access auditing

1) I am not able to see any option named "'write', 'pwrite', and 'writev' " while configurating audit.

** See the Security Administration manual, section 3.4.3 "Enabling Audit Events"

2) I am getting some output for audit when I am trying to read log file using audit_tool but cannot get details for particular file.

** Try filtering with the -/ or the -s option with the file name. See the man page for audit_tool for a description of these options. You might also look at Section 3.5 "Generating and Displaying Audit Reports" in the Security Administration guide.

3) I have set auditing for /etc/motd to test. and modified permission, content etc.
when I am using audit_tool -U root audit.xx.log, It gives me output for root user but cannot able to find anything related to /etc/motd.

** Probably because you're not auditing the proper events. See the Security Administration manual section 3.4.6 "Auditing File Operations".
Harmanjit_1
Frequent Advisor

Re: File access auditing

Hi All,

Thanks for your kind response. I am able to see auditing.

regards