- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Help On Trusted Computing Base Audit Files
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-19-2008 04:01 AM
тАО12-19-2008 04:01 AM
I had a requirement to enable auditing only on root account. The system was already trusted. I performed the following steps.
mkdir -p /var/.secure/etc/ /var/adm/crash/.secure/etc/
chown root:root /var/adm/crash/.secure/etc/ /var/.secure/etc/
chmod 700 /var/adm/crash/.secure/etc/ /var/.secure/etc/
Updated /etc/rc.config.d/auditing file with the following lines
AUDITING=1
PRI_AUDFILE=/var/.secure/etc/audfile1
PRI_SWITCH=5000
SEC_AUDFILE=/var/adm/crash/.secure/etc/audfile2
SEC_SWITCH=5000
AUDEVENT_ARGS1=" -P -F -e moddac -e login -e admin"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDEVENT_ARGS4=""
AUDOMON_ARGS=" -p 20 -t 1 -w 90"
Start the auditing
/sbin/init.d/auditing start
Disabled auditing of all users and enable auditing for root account
/usr/sbin/audusr -D
/usr/sbin/audusr -a root
Now the question is, How can I maintain the following audit log files,
/var/.secure/etc/audfile1
/var/adm/crash/.secure/etc/audfile2
Once the switch happens from Primary to secondary, how can I bring it back to primary.
Could you please provide me a script, so that I can put it in root cron.
Thank You.
Ravi.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-19-2008 06:44 AM
тАО12-19-2008 06:44 AM
SolutionUsing primary and secondary is NOT a good idea. They are rotating logs so the correct terminology is "current" and "next". The trick is to identify which of the two files is current and which is next.
From the audsys man page: "when the current file grows ... the auditing system switches to the next file by setting the current to to next and setting next to null"
You have to use the audsys command to determine if a log file switch has occured from the primary to the secondary. Examine the exit code of the audsys command. If a log switch has occured, the exit code is zero.
if a switch has occured then use audsys again to determine which of the two files is the current one.
Then make a copy of the OTHER file if you want to save a copy of it and designate it as the new next file with its size using the audsys with the -x and -z options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-19-2008 07:09 AM
тАО12-19-2008 07:09 AM
Re: Help On Trusted Computing Base Audit Files
But the logic is as fiollows:
1. audsys | grep next | grep none
2. switch=$?
(Run audsys and check if the "next" log file is set to "none". This means that a log switch has occured from one file to the other. Auditing now has no "next" file. If the "current" file fills up, auditing will stop)
3. if [ "$switch" = 0 ] then
3a. current=$(audsys | grep "current file" | head -1 ****
(you may need to use "cut" where the **** are. My filenames and paths were different so I had to cut based on that. As I said i don't run it anymore so I don't know what the output of audsys looks like)
3b. if current=PRI_AUDFILE then next=SEC_AUDFILE else next=PRI_AUFILE
3c. cp $nextfile /some/path/audfile.`date "+%H%M-%d%b%y"`
(make a copy of the next file with a time stamp)
3d. > $nextfile
(empty the next file)
3e. audsys -x $nextfile -z 5000
(change the "next" file from null to the unused file)
You need to schedule this in cron based on the size of the log files and activity on the server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-19-2008 07:19 AM
тАО12-19-2008 07:19 AM
Re: Help On Trusted Computing Base Audit Files
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-21-2008 01:38 AM
тАО12-21-2008 01:38 AM
Re: Help On Trusted Computing Base Audit Files
Thank You very much for the Logic. I could make a script of it.
Following is the audsys o/p.
#audsys
auditing system is currently on
current file: /audit1/audfile1
next file: none
statistics- afs Kb used Kb avail % fs Kb used Kb avail %
current file: 5000 854876 -16997 5242880 873823 83
next file: none
I have run the following command
#audsys -x /audit2/audfile2 -z 5000
Following is the audsys o/p.
#audsys
auditing system is currently on
current file: /audit2/audfile2
next file: none
statistics- afs Kb used Kb avail % fs Kb used Kb avail %
current file: 5000 32 99 5242880 18455 100
next file: none
The "next file" is still set to none and the "current file" got changed to /audit2/audfile2
I was in a impression, that when we run the following command
audsys -x /audit2/audfile2 -z 5000
It will actually set the "next file", not the "current file"
Correct me if I am wrong.
Ravi.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-21-2008 10:22 AM
тАО12-21-2008 10:22 AM
Re: Help On Trusted Computing Base Audit Files
See the man page. When setting the next file with the "-x" option the specified file must be empty or nonexistent.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-22-2008 06:41 PM
тАО12-22-2008 06:41 PM
Re: Help On Trusted Computing Base Audit Files
I have nullified the file /audit1/audfile1. If not, the system would fire an eror message, stating that the file is not empty.
Cheers,
Ravi.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-23-2008 08:02 AM
тАО12-23-2008 08:02 AM
Re: Help On Trusted Computing Base Audit Files
I looked for patches for the audsys command but did not find any.
Verify that the correct files are assigned to the "current" and "next" file handles. Verify that your logic detects if a log switch has ocurred correctly.
Try switching the files manually to see if "next" is set correctly from "none" to the right file.
Add echo statements in your script to verify the correct values are assigned to the variables.