HPE Community
Operating System - HP-UX
1834462 Members
3236 Online
110067 Solutions
New Discussion

hpux 11i auditing oddness

 
Paul Mahon
New Member

‎11-07-2007 12:16 PM

‎11-07-2007 12:16 PM

hpux 11i auditing oddness

What is happening is that the auditing system always reports an incorrect, and absurdly large value for "used Kb" on the next file. Since this number is beyond the threshold size for audit files, every time an audit event is detected, the auditing system attempts to archive it and switch to the new file. For example. I stopped the auditing services, removed /.secure/etc/audnames and /var/opt/audit/*

myhost -> /var/opt/audit
root # audsys -c audfile1.20071107 -x audfile2.20071107 -s 5000 -z 5000 -n
created audit file: /var/opt/audit/audfile1.20071107
created audit file: /var/opt/audit/audfile2.20071107


myhost -> /var/opt/audit
root # audsys
auditing system is currently on
current file: /var/opt/audit/audfile2.20071107
next file: /var/opt/audit/audfile1.20071107
statistics- afs Kb used Kb avail % fs Kb used Kb avail %
current file: 5000 0 100 4194304 3728656 11
next file: 0 2556466 0 2147483647 2147483647 65663

myhost -> /var/opt/audit
root # ll
total 16
-rw------- 1 root sys 0 Nov 7 17:46 audfile1.20071107
-rw------- 1 root sys 0 Nov 7 17:46 audfile2.20071107


No matter what the "next file:" value is, the used Kb field is always incorrect, which causes the auditing system to continually switch between files and allows no events to be logged.

Nov 7 17:33:00 myhost vmunix: The current audit file is switched from /var/opt/audit/audfile1.20071107 to /var/opt/audit/audfile2.20071107.
Nov 7 17:33:00 myhost vmunix: Notify the security officer to specify a backup.
Nov 7 17:33:20 myhost vmunix: The current audit file is switched from /var/opt/audit/audfile2.20071107 to /var/opt/audit/audfile1.20071021.
Nov 7 17:33:33 myhost vmunix: The current audit file is switched from /var/opt/audit/audfile1.20071021 to /var/opt/audit/audfile2.20071021

Here's the config file contents:

root # cat /etc/rc.config.d/auditing
#!/sbin/sh
# @(#) $Revision: 72.4 $
# Auditing configuration. See audsys(1m), audevent(1m)
#
# AUDITING: Set to 1 to enable the auditing system. Note: if auditing
# is enabled via SAM, the AUDITING and other configuration
# variables are ignored.
#
# PRI_AUDFILE: Pathname of file where audit records begin to be logged.
# PRI_SWITCH: switch size (maximum size in kbytes for primary audit log file)
# SEC_AUDFILE: file audit system switches to when primary reaches switch size
# SEC_SWITCH: switch size of secondary file (maximum size in kbytes for
# secondary audit log file)
#
# Note: If the system has any mounted volumes, you might want to put the
# primary and secondary audit log files on different volumes to take maximum
# advantage of audit file switching.
#
# Note: For security, the path to the audit files must not be readable or
# writable except by authorized users.
#
# AUDEVENT_ARGS:
# Arguments to the audevent command. See audevent(1m)
# There are three instances of AUDEVENT_ARGS.
#
# AUDEVENT_ARGS1 describes those events that are audited
# for both success and failure.
#
# AUDEVENT_ARGS2 describes those events that are success only.
#
# AUDEVENT_ARGS3 describes those events that are failure only.
#
# A null string for AUDEVENT_ARGSx is assigned to arguments
# that don't apply.
#
# By default, AUDEVENT_ARGS1 is set to:
# "-P -F -e moddac -e login -e admin"
# which causes audevent to deal with:
# 1) changing discretionary access control (DAC),
# 2) logging in, and
# 3) administering the system will be audited.
# While these may be a reasonable defaults on some systems,
# only the security officer/administrator can determine exactly
# what is needed.
#
# AUDOMON_ARGS: Arguments to the audomon daemon. See audomon(1m)
# By default, AUDOMON_ARGS is set to "-p 20 -t 1 -w 90".
# The audomon daemon takes the following arguments:
#
# fss = minimum percentage of free space left on an audit log file's
# file-system before switching to the secondary audit log file
# (which may reside on a separate volume/partition),
# or before taking protective action if no file space is left.
# (default: 20%)
# sp_freq = minimum wakeup interval (in minutes), at which point
# warning messages are generated on the console about
# switch points. Switch points are the maximum log file
# sizes and the percentage minimum free space specified.
# (default: 1 minute)
# warning = percentage of audit file space used or minimum free space
# used after which warning messages are sent to the console.
# (default: 90 - warning messages are sent when the files
# are 90% full or available free space is 90% used)
#
# Format: audomon -p fss -t sp_freq -w warning
#
AUDITING=1
PRI_AUDFILE=/var/opt/audit/audfile1.`date +%Y%m%d`
PRI_SWITCH=5000
SEC_AUDFILE=/var/opt/audit/audfile2.`date +%Y%m%d`
SEC_SWITCH=5000
AUDEVENT_ARGS1=" -P -F -e admin -e login -e moddac -e removable -e delete -e open"
AUDEVENT_ARGS2=" -S -p -f"
#AUDEVENT_ARGS4=""
AUDOMON_ARGS=" -p 20 -t 1 -w 90"



I have a number of hosts with the exact same configuration that do not have this issue. Any clues as to where to proceed would be much appreciated.

Paul
0 Kudos
Reply
2 REPLIES 2
Megan Ferguson
New Member

‎04-14-2008 09:22 PM

‎04-14-2008 09:22 PM

Re: hpux 11i auditing oddness

Hi Paul,

I am having this exact same issue. Did you find a resolution? We are currently turning auditing to use the ISS intrusion software.

Rgds
Meg
0 Kudos
Reply
Paul Mahon
New Member

‎04-15-2008 08:47 AM

‎04-15-2008 08:47 AM

Re: hpux 11i auditing oddness

Good luck with that. ISS support was spotty at best before Big Blue bought it. Now it's very close to useless.

And no, I never found a solution, but an update may be in order... Sometimes after a cold boot, (power cycle), auditing will work correctly. I'd say about 20% of the time.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.