HPE Community
Operating System - HP-UX
1826290 Members
4420 Online
109692 Solutions
New Discussion

Re: Auditing for actions on a specific file

 
Rob Viets
Occasional Advisor

‎07-15-2004 05:50 AM

‎07-15-2004 05:50 AM

Auditing for actions on a specific file

I am running auditing on an HPUX 11.0 machine, and would like to be able to filter the results for what happened to a specific file.

I would like to know who and when the file was created, read, and deleted. Changes in permissions would be good as well.

All of this information is in the audit files, but the audisp command doesn't seem to work this way.

Is there another tool for reading these files?
0 Kudos
Reply
6 REPLIES 6
RAC_1
Honored Contributor

‎07-15-2004 05:57 AM

‎07-15-2004 05:57 AM

Re: Auditing for actions on a specific file

Audit won't work that way. It can not monitor/record for a single file.

You can audit the system calls that may be specific to file changes, but not a particular file.

Unix keeps the three times with respect to file/dir.

ll -c --> Change time. Change time is the creation time, till the time file is not chnaged. Once the ctime is modified, creation time can not be known.
ll -u --> Access time. (atime) When a file was accessed.
ll -t --> Modification time (mtime)

You may look into VCS, Clearcase etc for this.

Anil
There is no substitute to HARDWORK
0 Kudos
Reply
Darren Prior
Honored Contributor

‎07-15-2004 10:50 PM

‎07-15-2004 10:50 PM

Re: Auditing for actions on a specific file

Hi,

audisp is the only HP supplied tool that I'm aware of that can read the files. If it's not sufficient then you could write your own tool to read the the auditing files; audit(4) contains information on the structure of the files.

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
Rob Viets
Occasional Advisor

‎07-16-2004 08:09 AM

‎07-16-2004 08:09 AM

Re: Auditing for actions on a specific file

I read the man page about the structure of the files. It seems to be incomplete, as the first record doesn't quite fit the description.

Is there a more complete reference, or perhaps a sample program someone has written that I could modify for my own needs?
0 Kudos
Reply
Rodney Hills
Honored Contributor

‎07-16-2004 08:25 AM

‎07-16-2004 08:25 AM

Re: Auditing for actions on a specific file

Check out IDS/9000 from HPs software depot. It is for security monitoring, but could be used to monitor a specific file/folder.

HTH

-- Rod Hills
There be dragons...
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎07-17-2004 04:10 AM

‎07-17-2004 04:10 AM

Re: Auditing for actions on a specific file

hai,

We can know the auditing results easily with audisp commands. If you enable the events for auditing with SAM then use as audisp -e ( audisp -e process ). You can easily filter based or username(s) or eventname(s) or syscall(s) or time based (s) with year support too with audisp


We can get the auding file information as,

# audsys
auditing system is currently off
current file: /.secure/etc/audfile1
next file: /.secure/etc/audfile2
statistics- afs Kb used Kb avail % fs Kb used Kb avail %
current file: 1000 38 96 59981824 15186496 75
next file: 1000 0 100 59981824 15186496 75


(or)
with /etc/rc.config.d/auditing configuration file. It will contain the present auditing file and replacing auditing file.

filename structure contains informations as (audit pathname cnode, audit pathname device, audit pathname inode,
audit pathname length, audit pathname in characters, ptr to next filename )

pathname device - use bdf or du
BDF>>
Filesystem kbytes used avail %used Mounted on
/dev/vg00/lvol3 59981824 15186496 44461696 25% /
du>>
80 /.secure/etc/audfile1
pathname inode - use df
DF>>
/ (/dev/vg00/lvol3 ): 88923392 blocks 1399840 i-nodes

To know the file permission and time ( creation,modify,change ) use the ll command ( use RAC's response to know more)

Use the audomon to get the warning or notification about the audit files overflow and auditfile stoage informations. See audomon man page for more details.

Add all the features in a simple shell script to know about all informations of a auditing file.

Regards,
Muthukumar.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎07-17-2004 04:57 AM

‎07-17-2004 04:57 AM

Re: Auditing for actions on a specific file

hai,

attached script may be useful to know about auditing files details,auditing space usage and auditing enablement check.

Regards,
Muthukumar.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.