HPE Community
Operating System - HP-UX
1846771 Members
4769 Online
110256 Solutions
New Discussion

sizing of the audit trails in HP-UX/11i v3 properly

 
Zdenek Precek
Occasional Contributor

‎08-10-2010 04:56 AM

‎08-10-2010 04:56 AM

sizing of the audit trails in HP-UX/11i v3 properly

Hi gurus,

does anybody have an experience with proper sizing of the audit(4) trails?
How fast they can grow in a real world (i.e. with reasonable set of audited events enabled)?

In the other words, how much free space is needed in the filesystem after the trail switch in order to be sure that the FSS point won't be reached again prior to the next run of audomon(1m)?

In even more details:
The "-X" command when executed by audomon(1m) doesn't know which one of two limits triggered the trail switching: the AFS point or the FSS point.
While it is not necessary to do any filesystem housekeeping in the first case, enough space MUST be cleaned up IMMEDIATELY in the second case in order to be sure that the FSS point won't be reached second time within the audomon's current wake-up interval.

This is because in this case audomon(1m) will refuse to do the second consecutive trail switch (even if AFS triggered), effectively allowing the current audit trail to grow beyond any limits and finally to fill up the filesystem.

Audomon(1m) prints the appropriate warning on the console (more exactly: on the terminal specified with "-o") only, where nobody is watching it for.
It would be much more useful if this info would be somehow passed to the "-X" command.

BTW: How exactly audomon(1m) computes it's wake-up period? The manual page only says it depends on the capacities of filesystem and the audit trail and never becomes smaller than the value specified by "-t" option (60 seconds minimum).

Thanks for any follow-up.
0 Kudos
Reply
3 REPLIES 3
Emil Velez
Honored Contributor

‎08-10-2010 05:16 AM

‎08-10-2010 05:16 AM

Re: sizing of the audit trails in HP-UX/11i v3 properly

alot depends on how many users or system calls or events you are auditing. What are you auditing ? Every user, root, create events.


It is possible to get multiple megabytes especially on a busy system per hour of audit data depending on what is configured for auditing.
0 Kudos
Reply
Zdenek Precek
Occasional Contributor

‎08-10-2010 05:49 AM

‎08-10-2010 05:49 AM

Re: sizing of the audit trails in HP-UX/11i v3 properly

Thanks Emil! I understand that it depends alot.
So far, I did a simple measurements with default settings (all users, basic event set). I got the trail growing rate about 20MB/min.
The auditing is going to be implemented in order to align the systems in a bank with PCI/DSS requirements.
Perhaps somebody who already implemented auditing in the similar environment can estimate the rate of the growth of the audit trails.
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎08-10-2010 03:12 PM

‎08-10-2010 03:12 PM

Re: sizing of the audit trails in HP-UX/11i v3 properly

Have you figured where to put the trails?

If you have your own filesystem, if it gets full, it won't bring down the box.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.