- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Question on Audit Trail (Successful Delete Onl...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-28-2009 06:52 PM
тАО01-28-2009 06:52 PM
Re: Question on Audit Trail (Successful Delete Only)
I still can't have my desired output even after executing the audusr command.
Here is the scenario:
Let's say user Dave deleted a file in /home/Dave dir. I am expecting that this transaction will be logged into the Audit Trail logfile with the information like:
1. The username who deleted the dir
2. The filename of the deleted directory
3. The timestamp when the deletion was made
But after testing in which I deleted a directory, I viewed the audfile via sam and got this output instead:
├в ├в All events are selected. ^├в
├в ├в All ttys are selected. ├в ├в
├в ├в Selecting successful & failed events. ├в
├в ├в TIME PID E EVENT PPID AID RUID RGID ├в
├в ├в ├в
├в ├в ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ├в
├в ├в 090129 10:39:00 27700 S 243 1506 0 0 0 ├в ├в
├в ├в [ Event=setaudproc; User=root; Real Grp=root; Eff.Grp=root; ] ├в ├в
├в ├в ├в ├в
├в ├в RETURN_VALUE 1 = 0; ├в ├в
├в ├в PARAM #1 (int) = 1 ├в ├в
├в ├в ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ├в ├в
├в ├в 090129 10:39:00 27700 S 57 1506 0 0 3 ├в ├в
├в ├в [ Event=utssys; User=root; Real Grp=sys; Eff.Grp=sys; ] ├в ├в
├в ├в ├в ├в
├в ├в RETURN_VALUE 1 = 0; v├в
Kindly advise me on how will I be able to achieve my desired outputs.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-28-2009 07:03 PM
тАО01-28-2009 07:03 PM
Re: Question on Audit Trail (Successful Delete Only)
Check the man page for audsys and look at the Warnings:
"All modifications made to the audit system are lost upon reboot. To
make the changes permanent, set AUDITING, PRI_AUDFILE, PRI_SWITCH,
SEC_AUDFILE, and SEC_SWITCH in /etc/rc.config.d/auditing."
HOWEVER, it is very important to note that the /.secure/etc is a poor choice for a potentially large logfile pair. The default size is quite small and every selected transaction, whether by the simple rm shell command or from the many actions taken by programs like vi, will be logged. Check the audsys command options and change the default location from /etc to /var, and change the rollover size (which is very small by default). Then edit the auditing config file accordingly to maintain auditing through a reboot.
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-28-2009 07:13 PM
тАО01-28-2009 07:13 PM
Re: Question on Audit Trail (Successful Delete Only)
Don't worry about filesystem fillup on /.secure/etc, I have created a seperate FS for this and mounted it already as well.
Thanks!
Hope someone can help me out with my recent question.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-28-2009 08:11 PM
тАО01-28-2009 08:11 PM
Re: Question on Audit Trail (Successful Delete Only)
It doesn't appear you are logging anything more than setaudproc and utssys. Either you need to switch to a new logfile before dumping it or you need to wait longer?
When was your test rm vs the 10:39:00 in the log?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-29-2009 12:35 PM
тАО01-29-2009 12:35 PM
Re: Question on Audit Trail (Successful Delete Only)
- « Previous
-
- 1
- 2
- Next »