Operating System - HP-UX
1748183 Members
3351 Online
108759 Solutions
New Discussion юеВ

Re: Question on Audit Trail (Successful Delete Only)

 
SOLVED
Go to solution
sysad_boy
Frequent Advisor

Question on Audit Trail (Successful Delete Only)

Hi,

I am trying to monitor all users (w/c includes his/her username and IP Address) who executes deletion of files in our server. I thought by enabling Audit Trail (for successful delete only) will help solve my problem, but when I activated it and did some tests, I checked the logfile generated via SAM but to my surprise I didn't get the output I was expecting.

Is there a special configuration or setting in enabling Audit Trail to log the user's Username and IP Address everytime he/she executes delete regardless if its a directory or a file?


Thanks in advance
14 REPLIES 14
Analyst
Trusted Contributor
Solution

Re: Question on Audit Trail (Successful Delete Only)

Hi,

Use audusr command to perform the task.

The updates will be stored in the current file Ex:-
/.secure/etc/audfile1

Thanks,
Analyst.
Bill Hassell
Honored Contributor

Re: Question on Audit Trail (Successful Delete Only)

If you are managing file permissions and ownership correctly, ordinary users cannot delete any files or directories where they do not have permission. Do you have a lot of people with the root password? Do your applications and/or users create files or directories with 777 permissions?


Bill Hassell, sysadmin
sysad_boy
Frequent Advisor

Re: Question on Audit Trail (Successful Delete Only)

So what I need to do now is just execute the audusr command in the command line?

Will this show the Username and IP Address of the person who will perform delete?

Thanks in advance!
Bill Hassell
Honored Contributor

Re: Question on Audit Trail (Successful Delete Only)

The adduser command cannot be run by an ordinary user. Only the root user can run adduser. Are you giving the root password to everyone?


Bill Hassell, sysadmin
Analyst
Trusted Contributor

Re: Question on Audit Trail (Successful Delete Only)

Hi,

Go through the man page , if not use the below link.

http://h21007.www2.hp.com/portal/download/files/unprot/STK/HPUX_STK/impacts/i1004.html

Thanks,
Analyst.
sysad_boy
Frequent Advisor

Re: Question on Audit Trail (Successful Delete Only)

Actually I am root. I am planning to log everyuser who performs delete.

In the man pages executing the audusr command alone audits all users.
sysad_boy
Frequent Advisor

Re: Question on Audit Trail (Successful Delete Only)

Hi,

I have a follow up question, when I was just about to implement this auditing thing, I noticed that the directory /etc/.secure where the audfiles should be located is now gone. I don't know why maybe someone deleted it, or the OS deleted it, I am not sure.

But is it possible to just recreate this directory? What should be the group owner and permissions of this dir? I can no longer remember the previous permissions that it had before.

I hope someone can help me regarding this.

Thanks in advance!
Dennis Handly
Acclaimed Contributor

Re: Question on Audit Trail (Successful Delete Only)

>the directory /etc/.secure where the audfiles should be located is now gone.

The default name is /.secure/etc. This directory doesn't exist by default.
I assume you can just have root:root own it with writable by root. I suppose you can have rx for group/other.
sysad_boy
Frequent Advisor

Re: Question on Audit Trail (Successful Delete Only)

I have already executed audusr -A to perform an audit to all users who will login to the server.

My next question is, what if we reboot the server, do I need to execute the "audusr -A" command again to enable it? Or is it a permanent process that will only be terminated if "audusr -D" is invoked?