HPE Community
Operating System - HP-UX
1833184 Members
3112 Online
110051 Solutions
New Discussion

monitoring/auditing atime

 
Manuel Urena
Advisor

‎03-15-2007 05:38 AM

‎03-15-2007 05:38 AM

monitoring/auditing atime

Hi all,

By some reason I've been asked to find a way to record who and when the atime of some directories/files gets modified.

It should be a complete listing so that they could say something like this user/process @ this date and time read/executed a file.

I was wondering if there was a way to do this utilizing any of the auditing tools provided in HP-UX.

Thanks and regards,

Manuel
0 Kudos
Reply
5 REPLIES 5
Tim Nelson
Honored Contributor

‎03-15-2007 05:51 AM

‎03-15-2007 05:51 AM

Re: monitoring/auditing atime

you can use the find command but beware that find will update the access time.

find ./ -atime -1

There are some other options.

I believe HPIDS can be configured with a watch list of files. Even better, the product is free ( www.software.hp.com ).

0 Kudos
Reply
Manuel Urena
Advisor

‎03-15-2007 06:12 AM

‎03-15-2007 06:12 AM

Re: monitoring/auditing atime

Tim,

Thanks anyway but that simple find command is not what I am looking for. I'd like to maintain and update a record of what process and when does the atime on some dirs/files gets updated.

Maybe auditing on some of the syscalls (read(2), open(2), access(2), etc...) But this sounds too overkill and may not be appropriate.

By the way I was unable to find HPIDS on software.hp.com. Maybe I am doing something wrong...

Thanks and regards,

Manuel
0 Kudos
Reply
Tim Nelson
Honored Contributor

‎03-15-2007 06:14 AM

‎03-15-2007 06:14 AM

Re: monitoring/auditing atime

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUX-HIDS
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎03-15-2007 07:13 AM

‎03-15-2007 07:13 AM

Re: monitoring/auditing atime

Hi Manuel:

If you truly mean 'atime' then you mean the last access timestamp. For directories, that's virtually useless. The act of a process reading a directory (as with 'ls' or 'find') changes the directory's 'atime'. This occurs whether or not the process has permission to read/write/execute the directory's subordinate entries.

Proper directory permissions limit who can assess (or write and delete) directory contents.

Databases that catalog checksums and/or modification ('mtime') can alert you to *changes* in files.

If you have a few "critical" pieces of software that you would like to monitor, consider writting a wrapper that logs "who" and "when" whenever the code is executed.

Regards!

...JRF...

0 Kudos
Reply
Manuel Urena
Advisor

‎03-15-2007 08:13 AM

‎03-15-2007 08:13 AM

Re: monitoring/auditing atime

Thank you James,

You're completely correct reading my posting again I now realized I mentioned also directories and of course this is not useful at all.

I assume the easiest way is via a shell wrapper. But how about common ascii files, when somebody cat(1)/more(1) a file, or even opens an editor without modifying the file.

I don't know if something in the line of tripwire could be the answer. But I was hoping HP's auditing tools could be setup to gather this information.

I am looking for something like a log where you could keep a record of the following for the inode's atime update for example:

FILE UID ARGV[0] TIMESTAMP
.profile 0 cat 15 Mar 2007 14:45
...


Thanks,

Manuel
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.