HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software

NOTE: If the primary audit log continues to grow past the FSS point, a system-defined parameter,

minfree, can be reached. All auditable actions are suspended for regular users at this point. Restore

the system to operation by archiving the audit data, or specifying a new audit log file on a file

system with space.

NOTE: If other activities consume space on the file system, or the file system chosen has

insufficient space for the AFS size chosen, the File Space Switch point can be reached before the

Audit File Switch point.

Choose a file system with adequate space for your audit log files. You can assess the size of your

file systems using the bdf command. HP recommends you configure your log files to at least

the following parameters:

• The file system must have more than 5000 KB available for the primary audit log file.

• It must have more than 20% of its total file space available.

TIP: HP recommends that the primary and auxiliary audit log files reside on separate file

systems.

The growth of audit log files is closely monitored by the audit overflow monitor daemon,

audomon, to insure that no audit data is lost.

Configuring Audit Log Files

Use the audsys command to specify the primary audit log file and the (optional) auxiliary audit

log file to collect auditing data. For example:

#audsys -c primary_audit_file -s 5000 -x auxiliary_audit_file -z 2500

This example specifies a primary audit file 5000K in size, and an auxiliary audit file 2500K in

size. Refer to audsys(1M) for more information about using the audsys command to configure

audit log files.

NOTE: If you specify the name of an existing file as your auxiliary audit log file, the contents

of the file will be overwritten.

CAUTION: If the file system containing the primary log file is full and no auxiliary log file is

specified, any non root process that generates audit data will block inside the kernel. Also, if a

non root process is connected to the system terminal, it will be terminated. For details see the

WARNINGS section of the audsys(1M) manpage.

Viewing Audit Logs

Auditing accumulates a lot of data. Use the audisp command to selects the data you want to

view:

#/usr/sbin/audisp audit_file

The following options are available with the audisp command:

-f

Displays failed events only.

-p

Displays successful events only.

-c system_call

Displays the selected system call.

-t

Displays start time.

-s

Displays end time.

-u user-name

Displays information for a specific user.

-l terminal-name

Displays information for a specific terminal.

80 Standard Mode Security Extensions