System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Question on Audit Trail (Successful Delete Only)

 
SOLVED
Go to solution
sysad_boy
Frequent Advisor

Question on Audit Trail (Successful Delete Only)

Hi,

I am trying to monitor all users (w/c includes his/her username and IP Address) who executes deletion of files in our server. I thought by enabling Audit Trail (for successful delete only) will help solve my problem, but when I activated it and did some tests, I checked the logfile generated via SAM but to my surprise I didn't get the output I was expecting.

Is there a special configuration or setting in enabling Audit Trail to log the user's Username and IP Address everytime he/she executes delete regardless if its a directory or a file?


Thanks in advance
14 REPLIES
Analyst
Trusted Contributor
Solution

Re: Question on Audit Trail (Successful Delete Only)

Hi,

Use audusr command to perform the task.

The updates will be stored in the current file Ex:-
/.secure/etc/audfile1

Thanks,
Analyst.
Bill Hassell
Honored Contributor

Re: Question on Audit Trail (Successful Delete Only)

If you are managing file permissions and ownership correctly, ordinary users cannot delete any files or directories where they do not have permission. Do you have a lot of people with the root password? Do your applications and/or users create files or directories with 777 permissions?


Bill Hassell, sysadmin
sysad_boy
Frequent Advisor

Re: Question on Audit Trail (Successful Delete Only)

So what I need to do now is just execute the audusr command in the command line?

Will this show the Username and IP Address of the person who will perform delete?

Thanks in advance!
Bill Hassell
Honored Contributor

Re: Question on Audit Trail (Successful Delete Only)

The adduser command cannot be run by an ordinary user. Only the root user can run adduser. Are you giving the root password to everyone?


Bill Hassell, sysadmin
Analyst
Trusted Contributor

Re: Question on Audit Trail (Successful Delete Only)

Hi,

Go through the man page , if not use the below link.

http://h21007.www2.hp.com/portal/download/files/unprot/STK/HPUX_STK/impacts/i1004.html

Thanks,
Analyst.
sysad_boy
Frequent Advisor

Re: Question on Audit Trail (Successful Delete Only)

Actually I am root. I am planning to log everyuser who performs delete.

In the man pages executing the audusr command alone audits all users.
sysad_boy
Frequent Advisor

Re: Question on Audit Trail (Successful Delete Only)

Hi,

I have a follow up question, when I was just about to implement this auditing thing, I noticed that the directory /etc/.secure where the audfiles should be located is now gone. I don't know why maybe someone deleted it, or the OS deleted it, I am not sure.

But is it possible to just recreate this directory? What should be the group owner and permissions of this dir? I can no longer remember the previous permissions that it had before.

I hope someone can help me regarding this.

Thanks in advance!

Re: Question on Audit Trail (Successful Delete Only)

>the directory /etc/.secure where the audfiles should be located is now gone.

The default name is /.secure/etc. This directory doesn't exist by default.
I assume you can just have root:root own it with writable by root. I suppose you can have rx for group/other.
sysad_boy
Frequent Advisor

Re: Question on Audit Trail (Successful Delete Only)

I have already executed audusr -A to perform an audit to all users who will login to the server.

My next question is, what if we reboot the server, do I need to execute the "audusr -A" command again to enable it? Or is it a permanent process that will only be terminated if "audusr -D" is invoked?
sysad_boy
Frequent Advisor

Re: Question on Audit Trail (Successful Delete Only)

As a follow up question,

I still can't have my desired output even after executing the audusr command.

Here is the scenario:

Let's say user Dave deleted a file in /home/Dave dir. I am expecting that this transaction will be logged into the Audit Trail logfile with the information like:

1. The username who deleted the dir
2. The filename of the deleted directory
3. The timestamp when the deletion was made

But after testing in which I deleted a directory, I viewed the audfile via sam and got this output instead:


â â All events are selected. ^â
â â All ttys are selected. â â
â â Selecting successful & failed events. â
â â TIME PID E EVENT PPID AID RUID RGID â
â â â
â â ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ â
â â 090129 10:39:00 27700 S 243 1506 0 0 0 â â
â â [ Event=setaudproc; User=root; Real Grp=root; Eff.Grp=root; ] â â
â â â â
â â RETURN_VALUE 1 = 0; â â
â â PARAM #1 (int) = 1 â â
â â ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ â â
â â 090129 10:39:00 27700 S 57 1506 0 0 3 â â
â â [ Event=utssys; User=root; Real Grp=sys; Eff.Grp=sys; ] â â
â â â â
â â RETURN_VALUE 1 = 0; vâ



Kindly advise me on how will I be able to achieve my desired outputs.



Thanks!
Bill Hassell
Honored Contributor

Re: Question on Audit Trail (Successful Delete Only)

> My next question is, what if we reboot the server, do I need to execute the "audusr -A" command again to enable it? Or is it a permanent process that will only be terminated if "audusr -D" is invoked?

Check the man page for audsys and look at the Warnings:

"All modifications made to the audit system are lost upon reboot. To
make the changes permanent, set AUDITING, PRI_AUDFILE, PRI_SWITCH,
SEC_AUDFILE, and SEC_SWITCH in /etc/rc.config.d/auditing."

HOWEVER, it is very important to note that the /.secure/etc is a poor choice for a potentially large logfile pair. The default size is quite small and every selected transaction, whether by the simple rm shell command or from the many actions taken by programs like vi, will be logged. Check the audsys command options and change the default location from /etc to /var, and change the rollover size (which is very small by default). Then edit the auditing config file accordingly to maintain auditing through a reboot.


Bill Hassell, sysadmin
sysad_boy
Frequent Advisor

Re: Question on Audit Trail (Successful Delete Only)

Hi Bill thanks to your response,

Don't worry about filesystem fillup on /.secure/etc, I have created a seperate FS for this and mounted it already as well.

Thanks!

Hope someone can help me out with my recent question.

Re: Question on Audit Trail (Successful Delete Only)

>Kindly advise me on how will I be able to achieve my desired outputs.

It doesn't appear you are logging anything more than setaudproc and utssys. Either you need to switch to a new logfile before dumping it or you need to wait longer?

When was your test rm vs the 10:39:00 in the log?
sysad_boy
Frequent Advisor

Re: Question on Audit Trail (Successful Delete Only)

I ran the test a minute after i have enabled the Audit Trail.