HPE Community
Operating System - HP-UX
1834461 Members
3058 Online
110067 Solutions
New Discussion

auditing on HP-UX 11iv2 change log does not occur

 
WayneHP
Frequent Advisor

‎02-24-2009 11:48 AM

‎02-24-2009 11:48 AM

auditing on HP-UX 11iv2 change log does not occur

I can not find any documentation on implementing the auditing features besides the man pages and I can not seem to get an automated change of the auditing log to occur.

Configuring /etc/rc.config.d/auditing to have:
AUDITING=1
PRI_AUDFILE=/var/.audit/audtrail-pri
PRI_SWITCH=4096
SEC_AUDFILE=/var/.audit/audtrail-sec
SEC_SWITCH=4096
#AUDEVENT_ARGS1="-P -F -e moddac -e login -e admin"
AUDEVENT_ARGS1="-P -F -e moddac -e login -e admin -e delete -e removable -e open"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDEVENT_ARGS4=""
AUDOMON_ARGS="-p 20 -t 1 -w 90"

After /var/.audit/audtrail-sec is over 4096KBs

the audomon starts giving warnings every minute.

It would seem that a audsys command needs to be run to give a new file not Primary or Secondary to write to.

How is this automated?

On HP-UX 11i v3 you leave secondary blank and it appends yyyymmdd_hhmm to the primary file name and continues on nicely.

Some output
pvwpro03:/root # audsys
auditing system is currently on
current file: /var/.audit/audtrail-sec
next file: none
statistics- afs Kb used Kb avail % fs Kb used Kb avail %
current file: 4096 12478 -204 10485760 3327224 68
next file: none

messages
Must specify a backup file now !
current audit file size is 12476 kilobytes!!!
an attempt to switch to the backup file failed.
Must specify a backup file now !
current audit file size is 12487 kilobytes!!!
an attempt to switch to the backup file failed.
Must specify a backup file now !

It seems to perhaps need a cron job but I would like to see a documented procedure if possible.

Thanks,
Wayne

0 Kudos
Reply
2 REPLIES 2
Steven E. Protter
Exalted Contributor

‎02-24-2009 12:26 PM

‎02-24-2009 12:26 PM

Re: auditing on HP-UX 11iv2 change log does not occur

Shalom,


This appears to be a trusted system.

Trusted systems default configuration is to the root filesystem, which is pretty easy to fill up.

I recommend redirecting these logs to a mounted file system and changing your rotation configuration.

Here is the doc

http://docs.hp.com/en/4AA0-4052ENW/4AA0-4052ENW.pdf

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
WayneHP
Frequent Advisor

‎02-25-2009 08:00 AM

‎02-25-2009 08:00 AM

Re: auditing on HP-UX 11iv2 change log does not occur

Did you send me the right PDF?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.