Manualshelf

HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software
71727374757677787980
1. Configure the users you want to audit using the userdbset command. For more information
on configuring auditing for users, refer to Auditing Users”.
2. Configure the events you want to edit using the audevent command. For example, to
configure the admin, login, and moddac events for auditing, enter the following command:
# audevent -P -F -e admin -e login -e moddac
Use the audevent command with no options to display a list of events and system calls
that are currently configured for auditing.
For more information on configuring auditing for events, refer to Auditing Events”.
3. Set the audevent argument parameters in the /etc/rc.config.d/auditing file to
enable the auditing system to retain the current configuration parameters when the system
is rebooted. For example to retain the parameters configured in step 2, set the parameters
as follows:
AUDEVENT_ARGS1 = -P -F -e admin -e login -e moddac
4. Start the auditing system and define the log files using the audsys command. For example:
#audsys -n -c primary_audit_file -s 1000
5. Set up your log files and log file switch parameters in the /etc/rc.config.d/auditing
file. Follow these steps:
a. Set PRI_AUDFILE to the name of your primary audit log file.
b. Set PRI_SWITCH to the maximum size of your primary audit log file (in KB), at which
audit logging switches to the auxiliary log file.
c. Set SEC_AUDFILE to the name of your auxiliary log file.
d. Set SEC_SWITCH to the maximum size of your secondary audit log file (in KB).
For more information about setting up primary and auxiliary audit log files, refer to Audit
Log Files”.
6. Set the AUDIT flag to 1 in the /etc/rc.config.d/auditing file to enable the auditing
system to retain the current event configuration when the system is rebooted.
Step 3: Monitoring Audit Files
To view, monitor, and administer your audit files, follow these steps:
1. View the audit log files with the audisp command:
#audisp audit_file
Refer to “Viewing Audit Logs” for details on using the audisp command.
2. Monitor the sizes of the log files with the audomon command:
#audomon -p 20 -t 1 -w 90
The audomon command also monitors the capacity of the file system on which the audit file
is located. The audomon command takes the following arguments:
-p fss The minimum percentage of space left on the file system that contains the
primary audit log file before the auditing system switches to the auxiliary
log file. The default fss value is 20%.
-t sp_freq The minimum wakeup interval, in minutes, at which the system prints
warning messages for audit log file switch points on the console. The default
sp_freq value is 1 minute.
-w warning The percentage of audit log file space used or minimum file system free
space used after which warning messages are sent to the console. The
default warning value is 90%
Refer to audomon(1M) for more information.
76 Standard Mode Security Extensions