HPE Community
Operating System - HP-UX
1820390 Members
3565 Online
109623 Solutions
New Discussion юеВ

How to config audsys?

 
fanyong
Occasional Contributor

тАО10-29-2001 08:28 PM

тАО10-29-2001 08:28 PM

How to config audsys?

I run this command:
#audsys -n -c audfile1 -s 1024 -x audfile2 -z 1024
some days later ,the first file audfile1 was full ,and audsys begin write audfile2.when audfile2 was full also,the system ask me to backup the audfiles and cann't reuse the audfile1.
I must run the follow command
#cp audfile* /bak
#>audfile1
#>audfile2
#audsys -c audfile1 -s 1024 -x audfile2 -z 1024
How can config audsys to auto reuse the first file audfile1?
0 Kudos
Reply
3 REPLIES 3
Eugen Cocalea
Respected Contributor

тАО10-30-2001 01:42 AM

тАО10-30-2001 01:42 AM

Re: How to config audsys?

Hi,

This is a little bit complicated without a little programming. Seems that the auditing systems, when switching from current to next audit file, makes the next file 'NULL'. So, the only thing you have to do is to make the next file point to the first file.

My idea: configure audomon (man audomon) to issue a warning when it's about to switch from the file2 to the next file1 (assuming that it already made the switch from file1 to file2 and the file2 is almost full). Redirect the warning message to a tty that you watch with a program. When the warning occurs, backup the file1 (if you need a backup), make it empty and call audctl (man audctl) with AUD_SETNEXT command, and make the next file point to file1.

I am very sorry I don't provide a program that will solve the problem 'on the scene', but I don't have time to do it, altough I like the problem and it's a bit challenging for me too. If I will find a time window, I will write it. Until them, I hope this will help you solve your problem.

E.

To Live Is To Learn
0 Kudos
Reply
Eugen Cocalea
Respected Contributor

тАО10-30-2001 01:44 AM

тАО10-30-2001 01:44 AM

Re: How to config audsys?

erm, 'until then' :)

E.
To Live Is To Learn
0 Kudos
Reply
Duncan Edmonstone
HPE Pro

тАО10-30-2001 01:46 AM

тАО10-30-2001 01:46 AM

Re: How to config audsys?

The short answer is, you can't! The slightly longer answer is that you could, but the point of the auditing sub-system is to give you an audit trail. If you just go copying over your old audit logs you lose the audit trail.
The question I would ask is do you really need auditing turned on, as what it's actually giving you is a list of all (or a subset) of all system calls made by all (or a subset of) users. I've often found that the only reason people turn on auditing is because some automated security product (like Symantec's Omniguard ESM) tells them it should be.

If you *have* to use auditing, here's what I would do:
1. Figure out what actual system calls you want to audit (do you really need to audit every fork() and exit() call?) and for which users, then use the audevent(1m) command to set this up, also make sure that the change is permanent across reboots by changing the /etc/rc.config.d/auditing file.
2. Create a seperate file system for the audit logs - otherwise the logs just get dumped into the root file system, and can fill it up.
3. Write a simple script which monitors the auditing subsystem - this should define a new log when a log switch occurs, and also monitor space in the file system where the logs go - BEWARE, if you are monitoring the system calls of system processes (ie. those owned by root), then if the file system containing the logs fills up, the system can grind to a halt.

HTH

Duncan

I am an HPE Employee
Accept or Kudo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.