HPE Community
Operating System - HP-UX
1758747 Members
2581 Online
108875 Solutions
New Discussion юеВ

Re: Trivial question about HP-UX trusted mode audit logs

 
MAD_2
Super Advisor

тАО08-17-2003 02:44 PM

тАО08-17-2003 02:44 PM

Trivial question about HP-UX trusted mode audit logs

OK, these questions have probably been asked many times before, but I just seem unable to find the right answer yet, and it seems the forums searches are not working today:

1. I know a primary and a back-up audit log files can be created and that to be safe, it is best to store them in different filesystems (not necessarily the default /.secure/etc for "audfile1" & "audfile2")

2. I have already selected two different locations and switched the log sizes from the default 1000KB to 5000KB (is that too much?). Also, I have selected specific events to be monitored. Not to worry, I have not turned auditing on yet for the sake of getting more information before I wake up that monster.

My questions are these:
A. What happens when the primary file is full, then it switches to the back-up and that one also fills up?
B. What is the correct way to reset (clean-up) the files? And how is a proper back-up of these perfomed?
C. Is there a utility within SAM to back them up? If not, what is the correct procedure to do it?

What I would like to do is to retain no more than, let's say 30-60 days of data (backed up on tapes), and create a script that can be run manually to post some standard reports with specific information of the most recent information (this may be 3-10 days, not sure how many days the local files will retain) found in the local files and formatted in HTML format to be pushed to a webserver and then posted on a website.

I found the following information in the "HP-UX Reference, Release 11.0 Volume 5 of 5, Edition 1):

Audit Log Files
"At any time when the auditing system is enabled, at least an audit log file must be present, and another back-up log file is highly recommended. Both of these files (along with various attributes for these files) can
be specified using audsys(1M). When the current log file exceeds a pre-specified size, or when the auditing file system is dangerously full, the system automatically switches to the back-up file if possible. If a backup log file is not available, warning messages are sent to request appropriate administrator action."
Contrary to popular belief, Unix is user friendly. It's just very particular about who it makes friends with
0 Kudos
Reply
9 REPLIES 9
Christopher McCray_1
Honored Contributor

тАО08-17-2003 03:01 PM

тАО08-17-2003 03:01 PM

Re: Trivial question about HP-UX trusted mode audit logs

Hello, ADAM

Here is a post from last year to which I responded concerning this:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x2c5b42308663d611abdb0090277a778c,00.html

This has a script that we use at my place as well as some things to think about with respect to audit files and filesystems.

Hope this helps

Chris
It wasn't me!!!!
0 Kudos
Reply
MAD_2
Super Advisor

тАО08-17-2003 03:19 PM

тАО08-17-2003 03:19 PM

Re: Trivial question about HP-UX trusted mode audit logs

Thanks for your prompt response Christopher. Time for me to go home, but I will leave a recap on my other questions:

1. How to properly clean the audit log files?
2. How to properly back them up? Utility driven in sam or command line, or can they just be archived with cpio and then emptied out?

Also, has anyone ever experimented with sending these files to a web server per say, to publish their information in a secure website for other IT personnel review and interest?
Contrary to popular belief, Unix is user friendly. It's just very particular about who it makes friends with
0 Kudos
Reply
Christopher McCray_1
Honored Contributor

тАО08-17-2003 06:50 PM

тАО08-17-2003 06:50 PM

Re: Trivial question about HP-UX trusted mode audit logs

Hello again,

1. Once the audit file has been switched, the previous file is merely a file; do with it what you will.

2. Also an answer to your question 1, We have been merely tarring them off to tape at the beginning of each month, but we have been trying to switch all that to batch-mode ftp them from all the servers to a large, central filesystem on our management server, where they will be backed up to tape.

As for publishing them to a website, I have never done this. You may also want to shy away from this as well, because you will have management types that will start bombarding you with questions that, 1) You don't have time for and, 2) that they need not know about.

I hope the first two points answered your question, the last is merely my $0.02 .

Hope you have a good night,

Chris
It wasn't me!!!!
0 Kudos
Reply
MAD_2
Super Advisor

тАО08-18-2003 05:59 AM

тАО08-18-2003 05:59 AM

Re: Trivial question about HP-UX trusted mode audit logs

Christopher,
You said:
1. Once the audit file has been switched, the previous file is merely a file; do with it what you will. My question:

- Once the back-up file fills up, does it switch back to the main one? Does the primary file clean itself up or do I have to do it manually? I mean, how does it work? That's what I don't seem to be able to find in any manual, what happens to the files (if you back them up or if you don't). What's the proper way to clean them up?

2. My plan is to do something similar to what you do on this point.

And as for publishing them to a website, I don't like the idea of doing it, don't prefer to do it because of many complications. It's not only all of the work, but that the requestor will not be able to understand 90% of what is there. The requestor was my boss, the IT manager, and he want's to see what everyone is doing in the system.... Mmm, what else can I say?
Contrary to popular belief, Unix is user friendly. It's just very particular about who it makes friends with
0 Kudos
Reply
Darren Prior
Honored Contributor

тАО08-18-2003 06:16 AM

тАО08-18-2003 06:16 AM

Re: Trivial question about HP-UX trusted mode audit logs

Hi Adam,

In my experience, most people with auditing don't spend very much time looking at the records. They tend to archive the audit files, then read them after there's been a problem in order to track down information. Unless you are very careful with your choice of what's being logged, you'll end up with stacks of information that isn't very interesting to read - and your IT manager will give up looking at it after a week or 2!

As for the backup file issue, once the auditfile has switched to the backup it will not switch back to the initial auditfile. You must remember to use audsys to set new current and next auditfiles - ensuring that you set the current file to be the backup, and the next file to be either the initial auditfile or a new one. It's a common mistake to think that audsys will swap back to the first file - this mistake tend to lead to the filesystem containing the auditfile to fill up. This does sound a bit wordy, so here's another way of looking at it:

audsys is set to use a1 as the current file and a2 as the next file. a1 reaches the limit so audsys now switches a2 to be written to. a2 will be written to until the filesystem fills up. Because of this, you run audsys again, setting a2 as the current and a3 as the next. You can now archive a1 and remove it if you wish.

regards,

Darren
Calm down. It's only ones and zeros...
0 Kudos
Reply
MAD_2
Super Advisor

тАО08-18-2003 06:30 AM

тАО08-18-2003 06:30 AM

Re: Trivial question about HP-UX trusted mode audit logs

Good Lord Darren, great to have this forum and to get answers like this one you just shared with us.

Now things make sense, this is not really described in a way that makes sense in any of the books I have read, no wonder so many people get confused, and no wonder some filesystems may get filled. Good thing I did not turn it on until I got my answers.

So, what good are the limits that are set on the logs for? Just to provide alarms? If my filesystem is filling up, I really do not care much at that moment about the audit file, I want it to stop growing once it is giving me trouble. Trigger the alarm to let me know it has reached it's limit and will not be recording anything else, but shut it off if I set a limit to stop at that point.

So, not to be repetitive, I just need to make sure:

1. I can set a1 to be primary and a2 to be back-up.
2. Once a1 fills up, it switches to a2 automatically. I can now back up a1 and remove it if I want.
3. Once a2 is the archiving, I can make it the primary and then make an a3 to become the back-up, correct, and repeat the process from there on. This means of course I have to constantly monitor it's growth.

Wow, this requires quite a bit of manual intervention and monitoring, it's specially pretty bad when you don't even have an idea of how fast they will grow originally.

Thanks for the insight though!
Contrary to popular belief, Unix is user friendly. It's just very particular about who it makes friends with
0 Kudos
Reply
Darren Prior
Honored Contributor

тАО08-18-2003 07:13 AM

тАО08-18-2003 07:13 AM

Re: Trivial question about HP-UX trusted mode audit logs

Hi Adam,

Thanks for your comments - the forum is a great place to learn from and to share info.

The following document in the Knowledge Database was almost written with your exact questions in mind! (ref: KBRC00007400) It should be read in conjunction with the "Managing Systems and Workgroups: A Guide for HP-UX System Administrators" document on http://docs.hp.com to help explain this confusing topic. It also contains a script that can perform the required audsys commands when needed. You must have your contract details linked to your ITRC profile in order to be able to access the KBRC document.

There's also some useful info in the WARNINGS section of the audsys, audevent and audomon man pages at 11i. You can read these man pages at http://docs.hp.com if your system isn't 11i.

To answer your question about the limits, check the audomon man page - that's where the alarms come from and you have some control over how early you get the warning.

Your comments on a1, a2, a3 are correct - you could of course use just 2 filenames rather than increasing them forever. In that case you would simplify your scripting, but you'd have to consider how to archive them and know which was which! As for monitoring, that's audomon's job (see above) - though I haven't checked whether the warning go into syslog or just to the console.

If you are able it might be useful to setup auditing on a test system, just so you can play with small values for the files and see how it all works.

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
MAD_2
Super Advisor

тАО08-18-2003 08:04 AM

тАО08-18-2003 08:04 AM

Re: Trivial question about HP-UX trusted mode audit logs

Darren, I am unable to find document "KBRC00007400" in the Knowledge Database. I am logged in with my profile, which is of course tied to my handle, what am I doing wrong?

This is the page I get to search the "Knowledge Database"

http://www.designjet.hp.com/tkd.html?new_product=100&newlang=en
Contrary to popular belief, Unix is user friendly. It's just very particular about who it makes friends with
0 Kudos
Reply
Darren Prior
Honored Contributor

тАО08-18-2003 08:24 AM

тАО08-18-2003 08:24 AM

Re: Trivial question about HP-UX trusted mode audit logs

Hi Adam,

I can't give you an exact link, as the European and US servers have separate URLs. However, if you click on the "IT Resource Center" on the yellowish background at the top of this page, you can then click on the "search technical database" link. You then have a choice whether to use keywords or the Doc ID.

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.