Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
171172173174175176177178179180
To configure the events associated with the basic profile for auditing, use the following
command:
# audevent -P -F -r basic
Both Audit Success and Audit Failure are set as event types for monitoring
successful and failed events or system calls. Monitoring these three event categories is
the minimum event type selection recommended for running a system.
Generally, a record is written only if both the event is selected for auditing, and the user
initiating the event has been selected for auditing. However, it is expected that some
records may still be generated at the time user starts a session and ends a session, even
if the user is not selected for auditing. Those records are considered system-wide
information that are based on event selection instead of user selection. Programs that do
self-auditing can choose to ignore the user selection, but this is not recommended.
9.5 Audit Trails
All auditing data is written to an audit trail. In regular mode, an audit trail is stored on
a file system in one or more log files that reside in the same directory. The number of
log files is directly proportional to the number of kernel threads that are configured for
logging audit records (see the audsys -N option). All the files in the directory are
needed for meaningful analysis or display. Contrary to regular mode, a compatibility
mode is also provided in the HP-UX 11i version 3 release to generate audit trail that is
stored in a single file. The compatibility mode is solely supported for backward
compatibility and will be obsolete in releases after HP-UX 11i Version 3. See audsys(1M)
for more information.
When the auditing system is enabled, there must be at least one audit trail pathname
specified. The trail pathname and various attributes for the trail can be specified using
the audsys command. When the current trail exceeds a predefined capacity (its Audit
File Switch (AFS) size), or when the auditing file system on which it resides approaches
a predefined capacity (its File Space Switch (FSS) size), the auditing subsystem issues a
warning. When either the AFS or the FSS is reached, the auditing subsystem looks for
an auxiliary trail. If one is available, recording is switched to the auxiliary trail. If no
auxiliary trail is specified, the auditing subsystem creates a new audit trail with the same
base name but a different timestamp extension and begins recording to it. The audomon
command can be invoked with an option (-X) that specifies a command line to run after
a successful audit trail switch to perform some action. Depending on site-specific needs,
the command may perform audit trail backup, archival, off site transfer, cleaning up or
data reporting. If the audit trail switch is unsuccessful, warning messages are sent to
request appropriate administrator action and the current audit trail continues to grow.
9.5 Audit Trails 179