audit_track_paths.5 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

audit_track_paths(5) audit_track_paths(5)

(Tunable Kernel Parameters)

NAME

audit_track_paths - enable/disable tracking of current and root directories for auditing subsystem

VALUES

Failsafe

0 (off)

Default

0 (off)

Allowed values

0 (off) or 1 (on)

Recommended values

1 (on) if Audit is turned on or

HP-UX HIDS is installed,

0 (off) otherwise.

DESCRIPTION

audit_track_paths

is a dynamic tunable and replaces HP-UX HIDS

speciﬁc static tunable

enable_idds.

Setting the tunable

audit_track_paths

to 1 enables both Audit and HP-UX HIDS to resolve and

report absolute pathnames for their accounting purposes. This also causes additional tracking by the

kernel, resulting in a small degradation in performance (and increase in kernel memory usage), even if

auditing subsystem is not in use. Although it is not required, but it is highly recommended to reboot the

system when setting the tunable

audit_track_paths

to 1 with the intention to be able to record the

absolute pathnames. Otherwise,

Audit or HP-UX HIDS may not be able to resolve and report absolute

pathname consistently.

When

audit_track_paths

is set to 0, Audit will not resolve absolute pathnames, while HP-UX

HIDS will be unable to open the device and collect data. This is because HIDS always expects a complete

pathname for its purposes.

The tunable is set to

Default state when the system is installed without HP-UX HIDS and its value is

set to 0. The tunable is set to 1 when HP-UX HIDS is ﬁrst installed.

Who Is Expected to Change This Tunable?

Administrator with proper privileges can change the value of

audit_track_paths depending on the

restrictions stated below.

Restrictions on Changing

The tunable

audit_track_paths

is a dynamic tunable so any changes to this will take effect immedi-

ately, provided following conditions are satisﬁed:

1) If the new tunable value is 0 (and not

Default), then HPUX HIDS will not be able to open the IDDS

device; and therefore, it will not be able to run any intrusion detection template that requires system

call audit records. This restriction is enforced to avoid HIDS reporting incomplete or relative path-

names.

2) If

/dev/idds is opened, then the administrator will not be allowed to change the value of the tun-

able.

3) If the tunable is set to

Default, IDDS will self-tune its value to 1 when the IDDS device is opened by

HPUX HIDS.

4) If the tunable value is set to

Default, Audit will self-tune its value to 1 at the time of turning ON

auditing.

5) If

Audit is already ON, the administrator is not allowed to change the tunable value.

6) If the administrator changes the tunable value from

0 to 1, a reboot of the system is recommended to

avoid reporting of partial pathnames by HP-UX HIDS or Audit.

When Should the Tunable Be Turned On?

The tunable

audit_track_paths should be turned ON if either HP-UX HIDS or Audit is going to be

started.

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (2 pages)

PAGE 1
audit_track_paths(5) audit_track_paths(5) (Tunable Kernel Parameters) NAME audit_track_paths - enable/disable tracking of current and root directories for auditing subsystem VALUES Failsafe 0 (off) Default 0 (off) A Allowed values 0 (off) or 1 (on) Recommended values 1 (on) if Audit is turned on or HP-UX HIDS is installed, 0 (off) otherwise. DESCRIPTION audit_track_paths is a dynamic tunable and replaces HP-UX HIDS specific static tunable enable_idds.
PAGE 2
audit_track_paths(5) audit_track_paths(5) (Tunable Kernel Parameters) What Are the Side Effects of Turning the Tunable On? The name of the current working directory (and root directory) of every process is tracked, resulting in a change in memory usage and performance of the system. When Should the Tunable Be Turned Off? When both HIDS and Audit are OFF.