HPE Community
Operating System - HP-UX
1833090 Members
2781 Online
110050 Solutions
New Discussion

auditing runs differently if rebooted vs invoked from SAM

 
Matthew Bialczak
Advisor

‎09-20-2005 09:15 AM

‎09-20-2005 09:15 AM

auditing runs differently if rebooted vs invoked from SAM

Through SAM running on HP-UX11i trusted system, I have enabled auditing for the system event moddac, but turned off auditting on system calls for semop, semctl and utssys, because 99% of my audit log would be filled with these entries. If I then turn on auditting from SAM, life is good. But when I reboot, audomon ignores my params and starts collecting these entries, filling my audit log at the rate of 30 MB per hour on an almost idle system.

Is it possible that one must either accept all the entries in Audited events and not turn any individual system calls off? This implies that if I want to audit most of the syscalls in moddac, I must use the option Audited system calls and turn them on as opposed to turning on Auditted event modaccess and turning off only the system calls I don't want
0 Kudos
2 REPLIES 2
Matthew Bialczak
Advisor

‎09-20-2005 10:37 AM

‎09-20-2005 10:37 AM

Re: auditing runs differently if rebooted vs invoked from SAM

Not being patient, I also logged a call with HP for the same problem. Here is their response.... Step 4 is what finally resolved my problem. Life is good again.

This might be a known problem. They found this in 11.0 and said that the changes were going to be implemented in 11.20. I believe that this leaves us with the same issue.

****************************************************************

Action Plan

PHCO_31314 s700_800 11.11 cumulative SAM patch

1. When you make changes through Sam are the changes reflected in the /etc/rc.config.d/auditing.

2. Be sure to move any backup files in /etc/rc.config.d, since they might be being sourced last, negating any changes.

3. You can use audevent to make changes to the Auditing system
audevent - change or display event or system call audit status

4. The auditing part will be fixed in HP-UX 11.20, or you can make the following change to the audit startup script and give this a try.:

Edit the file /sbin/init.d/auditing and adding the following lines to the
'start' function:
$ vi /sbin/init.d/auditing
...
if [ "$AUDEVENT_ARGS2" ]; then
eval `echo /usr/sbin/audevent $AUDEVENT_ARGS2`
set_return
fi

if [ "$AUDEVENT_ARGS3" ]; then
eval `echo /usr/sbin/audevent $AUDEVENT_ARGS3`
set_return
fi

if [ "$AUDEVENT_ARGS4" ]; then # add
eval `echo /usr/sbin/audevent $AUDEVENT_ARGS4` # add
set_return # add
fi # add
fi

0 Kudos
Matthew Bialczak
Advisor

‎09-20-2005 10:38 AM

‎09-20-2005 10:38 AM

Re: auditing runs differently if rebooted vs invoked from SAM

Problem resolved per step 4
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.