Manualshelf

Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU
791792793794795796797798799800
Administering a System: Managing System Security
Auditing a Trusted System
Chapter 8798
The primary log file is where audit records begin to be collected. When
this file approaches a predefined capacity (its Audit File Switch (AFS)
size), or when the file system on which it resides approaches a predefined
capacity (its File Space Switch (FSS) size), the auditing subsystem issues
a warning. When either the AFS or the FSS of the primary log file is
reached, the auditing subsystem attempts to switch to the auxiliary log
file for recording audit data. If no auxiliary log file is specified, the
primary log file continues to grow.
If other activities consume space on the file system, or the file system
chosen has insufficient space for the AFS size chosen, the File Space
Switch point could be reached before the Audit File Switch point.
If the primary audit log continues to grow past the FSS point, a
system-defined parameter, minfree, could be reached. All auditable
actions are suspended for regular users at this point. Restore the system
to operation by archiving the audit data, or specifying a new audit log file
on a file system with space.
Viewing Audit Logs
Auditing accumulates a lot of data. SAM gives you the opportunity to
select the data you want to view. You may select the following items:
Whether the log output is directed to the screen or to a file.
The name of the file to which log output is to be directed.
Whether you wish to view successful and/or failed events.
Which log file you wish to read.
Which user login you wish to view.
Which terminal device you wish to view.
Which events or system calls you wish to view.
It may take a few minutes to prepare the record for viewing when
working with large audit logs. When viewing your audit data, be aware
of the following anomalies:
Audit data may appear inaccurate when programs that call
auditable system calls supply incorrect parameters. For example,
calling the kill() system call with no parameters (i.e., kill())
produces unpredictable values in the parameter section of the audit
record.