Hi All,
I have studied all document as per my strenth.
I have run all command in my test system. Here OS version is HP-UX 11.31 . After success, then we will run on live system
I have set to audit for user root and oracle only. Please check the command output as bellow .(#userdbget -a | grep AUDIT_FLAG=1)
I set only the events associated with the basic profile for auditing, use the following command:
# audevent -P -F -r basic , please check the config log as bellow by # cat /etc/audit/audit.conf
Also check the output by # cat /etc/rc.config.d/auditing
From /var/.audit location, I see the bellow file size
bash-4.3# du -sk audfile2.20200211_1235
12312 audfile2.20200211_1235
bash-4.3# du -sk audfile2.20200211_1241
1776 audfile2.20200211_1241
Command output:
bash-4.3# userdbget -a | grep AUDIT_FLAG=1
root AUDIT_FLAG=1
oracle AUDIT_FLAG=1
bash-4.3# cat /etc/rc.config.d/auditing
AUDITING=1
PRI_AUDFILE=/var/.audit/audfile1
PRI_SWITCH=1000
SEC_AUDFILE=/var/.audit/audfile2
SEC_SWITCH=1000
AUDEVENT_ARGS1=" -P -F -e create -e delete -e moddac -e modaccess -e open -e close -e process -e removable -e login -e admin -e ipccreat -e ipcopen -e ipcclose -e uevent1 -e uevent2 -e uevent3 -e ipcdgram -e readdac -s exit -s fork -s open -s close -s creat -s link -s unlink -s execv -s chdir -s mknod -s chmod -s chown -s .chmod_link -s mount -s umount -s setuid -s stime -s ptrace -s access -s kill -s stat -s setpgrp3 -s lstat -s pipe -s setgid -s acct -s reboot -s symlink -s .set_sys_info -s execve -s umask -s chroot -s fcntl -s ulimit -s vfork -s mmap -s munmap -s setgroups -s setpgid -s swapon -s fstat -s setpriority -s settimeofday -s fchown -s fchmod -s setresuid -s setresgid -s rename -s truncate -s ftruncate -s mkdir -s rmdir -s setrlimit -s .priv_grp_ctl -s rtprio -s plock -s lockf -s semget -s semop -s msgget -s shmget -s shmat -s shmdt -s .setmemwindow -s setdomainname -s vfsmount -s setacl -s fsetacl -s setaudid -s setaudproc -s setevent -s audswitch -s audctl -s getaccess -s fchdir -s accept -s bind -s connect -s recv -s recvfrom -s recvmsg -s send -s sendmsg -s sendto -s setsockopt -s shutdown -s socket -s socketpair -s semctl -s msgctl -s shmctl -s mpctl -s adjtime -s fattach -s fdetach -s serialize -s lchown -s sched_setparam -s sched_setscheduler -s clock_settime -s .perf_tool_ctl -s ftruncate64 -s fstat64 -s lockf64 -s lstat64 -s mmap64 -s setrlimit64 -s stat64 -s truncate64 -s setpgrp -s setregid -s mlock -s munlock -s mlockall -s munlockall -s shm_open -s shm_unlink -s sigqueue -s mq_open -s mq_close -s mq_unlink -s sem_open -s sem_unlink -s sem_close -s ttrace -s sendfile -s .sendfile_by_name -s sendfile64 -s modload -s moduload -s modpath -s getksym -s .kernel_module_ctl -s modstat -s .processor_ctl -s acl -s .p2p_bcopy_ctl -s .gang_sched_ctl -s .mrgctl -s settune -s pset_create -s pset_destroy -s pset_assign -s pset_bind -s pset_setattr -s pset_ctl -s __pset_rtctl -s .perf_ctl -s semtimedop -s .audit_tag_ctl -s .proc_sec_ctl -s .file_sec_ctl -s .cmpt_rules -s .postwait_ctl -s umount2 -s .setaudevent -s .procsm_setop -s .cachefsstat -s swapctl -s .audit_ctl -s .proc_mgmt_ctl -s .cell_olstar_lock -s .cell_olstar_specify -s .cell_olstar_backout -s .cell_olstar_unlock -s .cell_olstar_operate"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDEVENT_ARGS4=""
AUDOMON_ARGS=" -p 20 -t 1 -w 90"
bash-4.3# cat /etc/audit/audit.conf
#
# Default audit event mapping information
#
# DO NOT MODIFY THIS FILE. All site specific customerizations
# need to go into /etc/audit/audit_site.conf.
#
EVENT create= creat, mknod, pipe, symlink, mkdir, semget, msgget, shmget,
shmat, pset_create, SELFAUD_EVENT create
EVENT delete= rmdir, semctl, msgctl, shm_unlink, mq_unlink, sem_unlink,
pset_destroy, SELFAUD_EVENT delete
EVENT moddac= chmod, chown, umask, fchown, fchmod, semop, setacl, fsetacl,
lchown, acl, semtimedop, .chmod_link, SELFAUD_EVENT moddac
EVENT modaccess= link, unlink, chdir, setuid, setpgrp, setpgrp3, setgid,
chroot, ulimit, setgroups, setpgid, setresuid, setresgid, rename,
fcntl, lockf, shmdt, fchdir, shmctl, lockf64, setregid, .proc_sec_ctl,
.file_sec_ctl, .cmpt_rules, SELFAUD_EVENT modaccess
EVENT open= open, execv, execve, mmap, truncate, ftruncate, ftruncate64,
mmap64, truncate64, shm_open, mq_open, sem_open, ttrace, ptrace,
sendfile, sendfile64, .sendfile_by_name, SELFAUD_EVENT open
EVENT close= close, munmap, mq_close, sem_close, SELFAUD_EVENT close
EVENT process= exit, fork, kill, vfork, setpriority, rtprio, mlock,
munlock, mlockall, munlockall, sigqueue, SELFAUD_EVENT process
EVENT removable= mount, umount, umount2, vfsmount, SELFAUD_EVENT removable
EVENT login= SELFAUD_EVENT login
EVENT admin= stime, acct, reboot, swapon, setevent, settimeofday, setrlimit,
plock, swapctl, setdomainname, setaudid, setaudproc, audswitch,
audctl, .audit_ctl, .setaudevent, mpctl, adjtime, serialize,
sched_setparam, sched_setscheduler, clock_settime, setrlimit64,
modload, moduload, modpath, getksym, modstat, settune, pset_assign,
pset_bind, pset_setattr, pset_ctl, __pset_rtctl, .procsm_setop,
.priv_grp_ctl, .setmemwindow, .mrgctl, .audit_tag_ctl, .perf_ctl,
.perf_tool_ctl, .processor_ctl, .p2p_bcopy_ctl, .gang_sched_ctl,
.cell_olstar_backout, .cell_olstar_lock, .cell_olstar_operate,
.cell_olstar_specify, .cell_olstar_unlock, .kernel_module_ctl,
.set_sys_info, .proc_mgmt_ctl, .postwait_ctl, .cachefsstat,
SELFAUD_EVENT admin
EVENT ipccreat= bind, socket, socketpair, SELFAUD_EVENT ipccreat
EVENT ipcopen= accept, connect, fattach, SELFAUD_EVENT ipcopen
EVENT ipcclose= shutdown, fdetach, SELFAUD_EVENT ipcclose
EVENT uevent1= SELFAUD_EVENT uevent1
EVENT uevent2= SELFAUD_EVENT uevent2
EVENT uevent3= SELFAUD_EVENT uevent3
EVENT ipcdgram= SELFAUD_EVENT ipcdgram
EVENT readdac= access, stat, lstat, fstat, getaccess, fstat64, lstat64,
stat64, SELFAUD_EVENT readdac
SYSCALL_ALIAS gethostname= .set_sys_info
SYSCALL_ALIAS sethostname= .set_sys_info
SYSCALL_ALIAS uname= .set_sys_info
SYSCALL_ALIAS ustat= .set_sys_info
SYSCALL_ALIAS setuname= .set_sys_info
SYSCALL_ALIAS setsid= setpgrp3
SYSCALL_ALIAS setpgrp= setpgrp3
SYSCALL_ALIAS setpgrp2= setpgid
SYSCALL_ALIAS setprivgrp= .priv_grp_ctl
EVENT_ALIAS logoff= EVENT login
EVENT_ALIAS exec= execv, execve
EVENT_ALIAS net= EVENT ipccreat, EVENT ipcopen, EVENT ipcclose, EVENT ipcdgram
EVENT_ALIAS pset= pset_create, pset_destroy, pset_assign,
pset_bind, pset_setattr
EVENT_ALIAS sock= bind, recv, recvfrom, recvmsg, send, sendmsg, sendto,
setsockopt, socket, socketpair
PROFILE basic= EVENT admin, EVENT login, SELFAUD_EVENT moddac, execv, execve,
EVENT_ALIAS pset
bash-4.3# pwd
/var/.audit
bash-4.3# ls -la
total 288
drwxr-xr-x 220 root sys 131072 Feb 11 12:35 .
dr-xr-xr-x 28 bin bin 8192 Jan 2 17:44 ..
drwx------ 2 root sys 96 Dec 29 09:53 audfile1
drwx------ 2 root root 96 Feb 9 11:00 audfile2.20200209_1100
drwx------ 2 root root 96 Feb 9 11:07 audfile2.20200209_1107
drwx------ 2 root root 96 Feb 9 11:21 audfile2.20200209_1121
drwx------ 2 root root 96 Feb 9 11:30 audfile2.20200209_1130
drwx------ 2 root root 96 Feb 9 11:34 audfile2.20200209_1134
drwx------ 2 root root 96 Feb 9 11:39 audfile2.20200209_1139
drwx------ 2 root root 96 Feb 9 11:51 audfile2.20200209_1151
drwx------ 2 root root 96 Feb 9 12:05 audfile2.20200209_1205
drwx------ 2 root root 96 Feb 11 11:21 audfile2.20200211_1121
drwx------ 2 root root 96 Feb 11 11:36 audfile2.20200211_1136
drwx------ 2 root root 96 Feb 11 11:50 audfile2.20200211_1150
drwx------ 2 root root 96 Feb 11 12:05 audfile2.20200211_1205
drwx------ 2 root root 96 Feb 11 12:20 audfile2.20200211_1220
drwx------ 2 root root 96 Feb 11 12:35 audfile2.20200211_1235
drwx------ 2 root root 96 Feb 11 12:41 audfile2.20200211_1241
My query is as bellow
1.how to set time interval for file generate (suppoose , each file generate every 15 minutes)
2.how to create report from some specific file or all file ?
3.I have reboot the OS by root user but I don't find record from file for reboot which is mention in admin EVENT.
Please assit on this above issue .
Waiting response from expert end.
