HPE Community
Operating System - HP-UX
1753361 Members
5265 Online
108792 Solutions
New Discussion юеВ

Re: Question on Audit Trail (Successful Delete Only)

 
SOLVED
Go to solution
sysad_boy
Frequent Advisor

тАО01-28-2009 06:52 PM

тАО01-28-2009 06:52 PM

Re: Question on Audit Trail (Successful Delete Only)

As a follow up question,

I still can't have my desired output even after executing the audusr command.

Here is the scenario:

Let's say user Dave deleted a file in /home/Dave dir. I am expecting that this transaction will be logged into the Audit Trail logfile with the information like:

1. The username who deleted the dir
2. The filename of the deleted directory
3. The timestamp when the deletion was made

But after testing in which I deleted a directory, I viewed the audfile via sam and got this output instead:


├в ├в All events are selected. ^├в
├в ├в All ttys are selected. ├в ├в
├в ├в Selecting successful & failed events. ├в
├в ├в TIME PID E EVENT PPID AID RUID RGID ├в
├в ├в ├в
├в ├в ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ├в
├в ├в 090129 10:39:00 27700 S 243 1506 0 0 0 ├в ├в
├в ├в [ Event=setaudproc; User=root; Real Grp=root; Eff.Grp=root; ] ├в ├в
├в ├в ├в ├в
├в ├в RETURN_VALUE 1 = 0; ├в ├в
├в ├в PARAM #1 (int) = 1 ├в ├в
├в ├в ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ├в ├в
├в ├в 090129 10:39:00 27700 S 57 1506 0 0 3 ├в ├в
├в ├в [ Event=utssys; User=root; Real Grp=sys; Eff.Grp=sys; ] ├в ├в
├в ├в ├в ├в
├в ├в RETURN_VALUE 1 = 0; v├в



Kindly advise me on how will I be able to achieve my desired outputs.



Thanks!
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО01-28-2009 07:03 PM

тАО01-28-2009 07:03 PM

Re: Question on Audit Trail (Successful Delete Only)

> My next question is, what if we reboot the server, do I need to execute the "audusr -A" command again to enable it? Or is it a permanent process that will only be terminated if "audusr -D" is invoked?

Check the man page for audsys and look at the Warnings:

"All modifications made to the audit system are lost upon reboot. To
make the changes permanent, set AUDITING, PRI_AUDFILE, PRI_SWITCH,
SEC_AUDFILE, and SEC_SWITCH in /etc/rc.config.d/auditing."

HOWEVER, it is very important to note that the /.secure/etc is a poor choice for a potentially large logfile pair. The default size is quite small and every selected transaction, whether by the simple rm shell command or from the many actions taken by programs like vi, will be logged. Check the audsys command options and change the default location from /etc to /var, and change the rollover size (which is very small by default). Then edit the auditing config file accordingly to maintain auditing through a reboot.


Bill Hassell, sysadmin
0 Kudos
Reply
sysad_boy
Frequent Advisor

тАО01-28-2009 07:13 PM

тАО01-28-2009 07:13 PM

Re: Question on Audit Trail (Successful Delete Only)

Hi Bill thanks to your response,

Don't worry about filesystem fillup on /.secure/etc, I have created a seperate FS for this and mounted it already as well.

Thanks!

Hope someone can help me out with my recent question.
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО01-28-2009 08:11 PM

тАО01-28-2009 08:11 PM

Re: Question on Audit Trail (Successful Delete Only)

>Kindly advise me on how will I be able to achieve my desired outputs.

It doesn't appear you are logging anything more than setaudproc and utssys. Either you need to switch to a new logfile before dumping it or you need to wait longer?

When was your test rm vs the 10:39:00 in the log?
0 Kudos
Reply
sysad_boy
Frequent Advisor

тАО01-29-2009 12:35 PM

тАО01-29-2009 12:35 PM

Re: Question on Audit Trail (Successful Delete Only)

I ran the test a minute after i have enabled the Audit Trail.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.