Managing Systems and Workgroups: A Guide for HP-UX System Administrators

Administering a System: Managing System Security
Auditing a Trusted System
Chapter 8 793
A record is written when the event type is selected for auditing, and
the user initiating the event has been selected for auditing. The
login event is an exception. Once selected, this event will be
recorded whether or not the user logging in has been selected for
auditing.
When an event type is selected, its associated system calls are
automatically enabled. Table 8-3, “Audit Event Types and System
Calls,” on page 794 lists these system calls.
The following audit monitor and log parameters are provided with
default values shown. They may be changed using SAM or audit
commands.
Primary log file path name = /.secure/etc/audfile1
Primary log file switch size (AFS) = 1000 KB
Auxiliary log file path name = /.secure/etc/audfile2
Auxiliary log file switch size (AFS) = 1000 KB
Monitor wake up interval = 1 minute
Allowable free space minimum (FSS) = 20% (of file system)
Start sending warning messages when log reaches = 90%
You can assess the size of your file systems using the bdf command.
Choose a file system with adequate space for your audit log files. For
example, using the system-supplied defaults:
The /.secure/etc file system must have more than 5000 KB
available for the primary audit log file, and
It must have more than 20% of its file space available.
You should provide a new path name for the auxiliary audit log file.
We recommend that the primary and auxiliary audit log files reside
on separate file systems.
CAUTION If you specify the name of an existing file to be used as your auxiliary
audit log file, the contents of the file will be overwritten.
If the file system containing the primary log file is full and no auxiliary
log file is specified, any nonroot process that generates audit data will
block inside the kernel. Also, if a nonroot process is connected to the
system terminal, it will be terminated. For details see the WARNINGS
section of the audsys (1M) manpage.