Manualshelf

White Paper

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
11121314151617181920
18
Use an editor (for example, vi) to directly edit the
/etc/rbac/aud_filter file. The HP-UX RBAC administrative commands
do not provide an interface to configure /etc/rbac/aud_filter.
Management
This section describes how to enable and disable auditing, and how to rotate audit log files.
Enabling auditing
To enable auditing, use one of the following methods:
Enter the /sbin/init.d/auditing start command. When you do this, the following occurs:
Reads the /etc/rc.config.d/auditing file.
Displays events to be audited by running audevent using the AUDEVENT_ARGS flags.
Turns on the auditing system by running audsys -n.
When audsys is run for the first time, the command creates the /etc/audit/audnames file
using the log file names and sizes specified by PRI_AUDFILE and SEC_AUDFILE. Thereafter, each
time the audsys -n command is invoked, it uses the audit log names and sizes from the
audnames file.
Starts the audomon daemon with the AUDOMON_ARGS.
HP-UX Security Attributes Configuration Tool
Used to view and configure system-wide and per-user (local users and NIS users) values of security
attribute. You can launch this from the HP System Management Homepage (SMH) or HP System
Insight Manager (SIM). For more information, see secweb(1M).
Entering the audsys –n and audomon commands manually.
Disabling auditing
To disable auditing, enter the audsys –f command.
Rotating audit logs
To enable audit log rotation, run the audomon daemon. The audomon daemon monitors the capacity
of the current audit trail and the file system on which the audit trail is located, by checking the
FileSpaceSwitch (FSS) and AuditFileSwitch (AFS) switch points. If either switch point is reached, audit
recording automatically switches to an alternative audit trail. For example, if the auditing system was
started using audsys -n -c /var/.audit/my_trail -s 1000, the following command starts
the audomon daemon:
audomon -p 20 -t 1 -w 90 -X "/usr/local/bin/rcp_audit_trail hostname”
This command has the following behaviors:
The audomon daemon sleeps at least 1 minute at intervals.
When the size of the current audit trail reaches 1000*90% or 900 kilobytes, or the file system that
contains the current audit trail has reached (100%-20%) * 90% or 72% full, audomon starts
printing warning messages to the console.
When the size of the current audit trail reaches 1000 kilobytes, or the file system that contains the
current audit trail has reached 100% - 20% or 80% full, audomon switches recording data to:
/var/.audit/my_trail.yyyymmdd_HHMM, where yyyymmdd_HHMM is replaced by the time
when the switch has happened.
After the switch succeeds, audomon invokes the following command: