HPE Community
Operating System - HP-UX
1819901 Members
2461 Online
109607 Solutions
New Discussion юеВ

Re: Audit trail/log examples?

 
SOLVED
Go to solution
A. Daniel King_1
Super Advisor

тАО09-11-2002 06:55 AM

тАО09-11-2002 06:55 AM

Audit trail/log examples?

Hi, folks.

Could anyone please point me to some sample output from process auditing?

I'm looking at turning this on, but I'd like to know a little better what I can expect to see. I'm hoping that this will provide a nice compliment (replacement?) for process accounting - and help me better answer the question, "What was running at the time?"

Thanks.
Command-Line Junkie
0 Kudos
Reply
10 REPLIES 10
harry d brown jr
Honored Contributor

тАО09-11-2002 07:08 AM

тАО09-11-2002 07:08 AM

Re: Audit trail/log examples?

This thread has a great answer from JRF:


http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x33b9854994d9d4118fef0090279cd0f9,00.html


live free or die
harry
Live Free or Die
0 Kudos
Reply
harry d brown jr
Honored Contributor

тАО09-11-2002 07:12 AM

тАО09-11-2002 07:12 AM

Re: Audit trail/log examples?

Actually I should say ANSWERS as in multiple!

live free or die
harry
Live Free or Die
0 Kudos
Reply
A. Daniel King_1
Super Advisor

тАО09-11-2002 07:17 AM

тАО09-11-2002 07:17 AM

Re: Audit trail/log examples?

Ahhh. The very docs I used to set up _accouting_. I am interested more specifically in auditing, i.e., man audsys.
Command-Line Junkie
0 Kudos
Reply
Darren Prior
Honored Contributor

тАО09-11-2002 07:49 AM

тАО09-11-2002 07:49 AM

Solution

Re: Audit trail/log examples?

Hi,

I've attached a text file showing output from the audisp command with a minimal amount of events being audited. The audevent command at the top of the file shows what was setup. I then attempted to login with an invalid account, followed by logging in and then chmod'ing a file.

If you're after documentation for auditing I'd start with the audit(5) man page, also http://docs.hp.com has further info.

regards,

Darren.
Calm down. It's only ones and zeros...
Reply
A. Daniel King_1
Super Advisor

тАО09-11-2002 09:44 AM

тАО09-11-2002 09:44 AM

Re: Audit trail/log examples?

Fantastic! Can the user definable categories can easily be set to capture all processes?
Command-Line Junkie
0 Kudos
Reply
doug hosking
Esteemed Contributor

тАО09-11-2002 08:02 PM

тАО09-11-2002 08:02 PM

Re: Audit trail/log examples?

Capturing all records for all processes
is easy. 'audevent -PFE' will select all record types for both system calls and self-auditing records. You don't have to do anything special (such as with audusr) to select all users. It would be a good idea to be sure you are current on patches for inetd and audisp. Also keep in mind that auditing everything can chew up an impressive amount of disk space. Be careful which file system you use to hold the audit logs, so you don't create full disk headaches for yourself.

One more caveat:
Processes may not be properly audited unless they are started AFTER auditing is turned on.
This is as designed but can be confusing.
See /etc/rc.config.d/auditing to enable auditing automatically as the system boots.

Reply
Anonymous
Not applicable

тАО09-12-2002 04:30 AM

тАО09-12-2002 04:30 AM

Re: Audit trail/log examples?

in addition to Doug:
the auditing switches to a 2nd logfile upon a certain (configurable) size. If this is full too this could mean that events cannot be logged anymore. To prevent this root is the only user who can still work in this situation.

take care, Tom
0 Kudos
Reply
A. Daniel King_1
Super Advisor

тАО09-12-2002 07:08 AM

тАО09-12-2002 07:08 AM

Re: Audit trail/log examples?

Could you define - or get me in the ballpark - for an "impressive amount of disk space"?

Tens/Hundreds of GB? I'm trying to get a feel for how much space I'd need for a week's worth of information on a very busy system.

Thanks, all!
Command-Line Junkie
0 Kudos
Reply
Deshpande Prashant
Honored Contributor

тАО09-12-2002 07:16 AM

тАО09-12-2002 07:16 AM

Re: Audit trail/log examples?

HI
with auditing turned on, the space required will vary, based on number of events/users audited and events occuring.
Prefer creating a seperate VG/file system for auditing and mount/link in /.secure/etc



Thanks.
Prashant.
Take it as it comes.
Reply
doug hosking
Esteemed Contributor

тАО09-12-2002 08:09 AM

тАО09-12-2002 08:09 AM

Re: Audit trail/log examples?

Questions re disk space are hard to answer,
since it depends so much on machine size/speed/load, applications you run, which users/events are selected for auditing, etc. Planning for something in the range of hundreds of megabytes to 5 or so GB on a
dedicated logical volume is probably a good place to start. Once you get some real data for your system you can adjust up or down as needed.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.