HPE Community
Operating System - HP-UX
1825768 Members
2406 Online
109687 Solutions
New Discussion

auditing the system

 
Venkat_11
Regular Advisor

‎01-03-2006 06:24 AM

‎01-03-2006 06:24 AM

auditing the system

We have a server and we turn on auditing on that server.
And the output for audsys is as follows

audsys
auditing system is currently on
current file: /aud/audfile1
next file: /aud/audfile2
statistics- afs Kb used Kb avail % fs Kb used Kb avail %
current file: 1000 0 100 2097152 1614 100
next file: 1000 0 100 2097152 1614 100

But when i observed those particular files they are 0 byte files.
ls -l
total 0
-rw------- 1 root sys 0 Nov 10 18:43 audfile1
-rw------- 1 root sys 0 Nov 10 18:43 audfile2

Why these files are not getting update with auditrecords?

FYI syslog.conf file is like this

mail.debug /var/adm/syslog/mail.log
*.info;mail.none;auth.none /var/adm/syslog/syslog.log
*.alert /dev/console
*.alert root
*.emerg *
auth.info /var/adm/syslog/auth.log
and auth.log file is filling with audit records.

Does auth.info in syslog.conf taking the job of auditing. Can some body please explain me the difference between these two auditing files.

Thanks In Advance

Venkat
0 Kudos
Reply
11 REPLIES 11
Jeff Schussele
Honored Contributor

‎01-03-2006 06:40 AM

‎01-03-2006 06:40 AM

Re: auditing the system

Hi Venkat,

Normally the audit files are listed in /etc/rc.config.d/auditing as follows:

PRI_AUDFILE=/path/to/audfile1
SEC_AUDFILE=/path/to/audfile2

Also you spell out the max filesizes with

PRI_SWITCH=153600
SEC_SWITCH=153600

And of course auditing has to be turned on with

AUDITING=1

And you can specify the event arguments with

AUDEVENT_ARGS1=" 1st Args listed here"
AUDEVENT_ARGS2=" 2nd args listed here"
etc.....

And the audomon args as well

AUDOMON_ARGS=" Mon args here"

You do *not* list audit.info *specifically* in syslog.conf.

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎01-03-2006 06:42 AM

‎01-03-2006 06:42 AM

Re: auditing the system

Shalom Venkat,

Seems that auditing is merely disabled, as in not runing.

The only thing you should ever see in syslog is when the log files switch, or if they fail to switch when one gets full.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Venkat_11
Regular Advisor

‎01-03-2006 06:54 AM

‎01-03-2006 06:54 AM

Re: auditing the system

The /etc/rc.confid.d/auditing looks like this
AUDITING=0
PRI_AUDFILE=/.secure/etc/audfile1
PRI_SWITCH=1000
SEC_AUDFILE=/.secure/etc/audfile2
SEC_SWITCH=1000
AUDEVENT_ARGS1="-P -F -e moddac -e login -e admin"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDOMON_ARGS="-p 20 -t 1 -w 90"

But audsys showing like

auditing system is currently on
current file: /aud/audfile1
next file: /aud/audfile2
statistics- afs Kb used Kb avail % fs Kb used Kb avail %
current file: 1000 0 100 2097152 1614 100
next file: 1000 0 100 2097152 1614 100


so what steps i have to take to update the /etc/rc.config.d/auditing and how restart the services so that it will take effect.

Thanks

Venkat
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎01-03-2006 07:09 AM

‎01-03-2006 07:09 AM

Re: auditing the system

Just edit the file so AUDITING=1. To start auditing after that change, just run /sbin/init.d/auditing.

However, you also will want to change the path for the second audit log. It's purpose is to switch if the first log can no longer be written to (file system fills up). If it's on the same file system as the first, you could have some major problems.

In reality, you probably want to change both paths actually. Default is set to write to the root file system, which you certainly don't want to accidentally fill up with audit logs. Ideally, you probably want to create two new file systems that you can mount and use for the audit log locations.
--
Jeff Traigle
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎01-03-2006 07:13 AM

‎01-03-2006 07:13 AM

Re: auditing the system

Oops... That should have said to run "/sbin/init.d/auditing start"
--
Jeff Traigle
0 Kudos
Reply
Venkat_11
Regular Advisor

‎01-03-2006 07:32 AM

‎01-03-2006 07:32 AM

Re: auditing the system

Hi Jeff,
First of all i would like to say thanks for your quick and good responces.

I set the auditing file like this

AUDITING=1
PRI_AUDFILE=/aud/audfile1
PRI_SWITCH=995000
SEC_AUDFILE=/aud/audfile2
SEC_SWITCH=995000
AUDEVENT_ARGS1="-P -F -e moddac -e login -e admin"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDOMON_ARGS="-p 20 -t 1 -w 90"
"auditing" 75 lines, 3055 characters

we have a FS /aud of 2gb. My question is what will happen when both the PRI and SEC get filled up..?
And what AUDEVENT_ARGS and AUDOMON_ARGS does and do i need to update them with any arguments?

And do i need to remove
auth.info /var/adm/syslog/auth.log
from syslog.conf.

Thanks A lot for Answers

Venkat
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎01-03-2006 07:57 AM

‎01-03-2006 07:57 AM

Re: auditing the system

As I understand it, having both audit files in the same file system can be very detrimental. If the first file fills to the point that the file system is full, there will be no way for the system to write to the second log file. This can apparently cause some processes to hang since they won't be able to write audit information.
--
Jeff Traigle
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎01-03-2006 08:04 AM

‎01-03-2006 08:04 AM

Re: auditing the system

As for the other questions...

I'm not sure about the ARGS settings. I haven't actually enabled auditing on any systems so haven't taken the time to read man pages for audevent and audmon. I'd recommend you read those before you make changes to the default arhuments provided.

As for removing the auth.info line from syslog.conf, it's not necessary. It's nice at times to have your authentication syslog entries in a separate file where they are easily analyzed without having to wade through all the other stuff that typically gets written to syslog. Personally, I'd keep it the way you have it set up currently.
--
Jeff Traigle
0 Kudos
Reply
Venkat_11
Regular Advisor

‎01-03-2006 08:11 AM

‎01-03-2006 08:11 AM

Re: auditing the system

Hi,

Even both the log files are sitting under the same file system /aud, in the auditing file i mentioned
PRI_SWITCH=995000 that means it has to switch to secondary log gile once after the primary log reaches 970MB, where the total FS is 2GB in size.

After all changes made to /etc/rc.config.d/auditing file when i tried to start the auditing services i am getitng the following error

/sbin/init.d/auditing start
auditing system is already on, input arguments ignored
ERROR CODE 8

I restarted the /sbin/init.d/auditing stop and start. After that i observed that /aud/audfile1 is updating with some stuff.
When i opened that file it showing up weird charaters like this

^DM-^?M-^?M-^?M-^?M-^?M-^?M-^?M-^?CM-:M-gM-.>^P9^P ^?^?!M-^PCM-:M-gM-.>^Q$^C^\>^PM-^?M-^?M-^?M-^?M-^?M-^?
M-^?M-^?CM-:M-gM-.>^Q9^PM-^P^?^?!@CM-:M-gM-

Can any body advice why it showing like this
Thanks in Advance

Venkat
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎01-03-2006 08:17 AM

‎01-03-2006 08:17 AM

Re: auditing the system

As long as nothing else is written to that file system, the size limit settings for the log files you specified should keep you out of trouble with auditing hanging any processes.

The audit files are binary. Use audisp to query the logs.
--
Jeff Traigle
0 Kudos
Reply
Venkat_11
Regular Advisor

‎01-03-2006 09:44 AM

‎01-03-2006 09:44 AM

Re: auditing the system

Hi Jeff,
I appreciate your help to make auditing work.
Thanks A Lot.

When i say
#audisp audfile1 i am getting output like this.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
060103 14:58:16 13151 S 57 1100 -1 0 0 0 0 ?????
[ Event=utssys; User=????????; Real Grp=root; Eff.Grp=root; ]

RETURN_VALUE 1 = 0;
PARAM #1 (addr of char) = 2139037936
PARAM #2 (int) = 0
PARAM #3 (int) = 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
060103 14:58:16 13151 S 57 1100 -1 0 0 0 0 ?????
[ Event=utssys; User=????????; Real Grp=root; Eff.Grp=root; ]

RETURN_VALUE 1 = 0;
PARAM #1 (addr of char) = 1073769712
PARAM #2 (int) = 64
PARAM #3 (int) = 5
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I didnt understand how to analise this output. WHy it showing up the user account as ?????? and what does rest of the values. Can i get any document to refer regarding this output.

Thanks A Lot
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.