1825776
Members
1961
Online
109687
Solutions
Ah yes, the auditing subsystem... it takes quite a lot of managment to control this correctly, but let me give you an overview:
1. Start by reading audit(5) :
man 5 audit
2. Yes the first file you specify is the audit file used, the second is a backup - when the first fills it starts using the backup. It doesn't necessarily go back to the first file unless you tell it to - better to go to an entirely new file. What we did at some of my old sites was to have a monitor script that kicked in once an hour and assigned a nwe backup file if required. You can do all this from the command line using the audsys command. So in your case to move on to another file you might have entered:
audsys -x /.secure/etc/audfile3 -z 1000
3. By default audit logs are written into the root filesystem !DANGER DANGER! This can easily fill up your root filesystem and you don't want to go there. Either create a seperate filesystem called /.secure or redirect the files to another location.
4. Now what events and users do you want to monitor - if you want to monitor all events and all users that can create a *lot* of data. When I asked my security team what they wanted they said everything and kept for 3 years! A quick calculation of data generated told me that for all our HP-UX systems that would create upwards of a TB of data every year that needed to be kept. When I submitted the costs to the security team for them to pay for this storage they decided they didn't need to see everything! Here use the audevent and audusr commands to control what you do and don't audit.
HTH
Duncan
I am an HPE Employee
1. Start by reading audit(5) :
man 5 audit
2. Yes the first file you specify is the audit file used, the second is a backup - when the first fills it starts using the backup. It doesn't necessarily go back to the first file unless you tell it to - better to go to an entirely new file. What we did at some of my old sites was to have a monitor script that kicked in once an hour and assigned a nwe backup file if required. You can do all this from the command line using the audsys command. So in your case to move on to another file you might have entered:
audsys -x /.secure/etc/audfile3 -z 1000
3. By default audit logs are written into the root filesystem !DANGER DANGER! This can easily fill up your root filesystem and you don't want to go there. Either create a seperate filesystem called /.secure or redirect the files to another location.
4. Now what events and users do you want to monitor - if you want to monitor all events and all users that can create a *lot* of data. When I asked my security team what they wanted they said everything and kept for 3 years! A quick calculation of data generated told me that for all our HP-UX systems that would create upwards of a TB of data every year that needed to be kept. When I submitted the costs to the security team for them to pay for this storage they decided they didn't need to see everything! Here use the audevent and audusr commands to control what you do and don't audit.
HTH
Duncan
I am an HPE Employee