Manualshelf

White Paper

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
12345678910
7
Audit tunable parameters (HP-UX 11i v3 only)
You can modify the auditing operation dynamically by changing one of the following audit tunable
kernel parameters:
audit_memory_usage — Defines the percentage of physical memory to be used by audit
records. If the audit record memory usage exceeds the audit_memory_usage limit, the audit
subsystem blocks the system call until memory usage decreases to within the limit. You can change
this tunable value at any time. However, you cannot lower its value below the memory currently
used by the audit subsystem for records. Valid values are 1 to 10, inclusive. The default is 5.
audit_track_paths — Enables and disables tracking of current and root directories for the
auditing subsystem. When audit_track_paths is set to 0, Audit does not resolve absolute
pathnames, and HP-UX HIDS is unable to open the device and collect data. This is because HIDS
always expects a complete pathname for its purposes.
Setting the audit_track_paths to 1 enables both Audit and HP-UX HIDS to resolve and report
absolute pathnames for their accounting purposes. This also causes additional tracking by the
kernel, resulting in a small degradation in performance, even if auditing subsystem is not in use.
The tunable is set to 0 (default) when the system is installed without HP-UX HIDS. The tunable is set
to 1 when HP-UX HIDS is first installed. You cannot change this tunable when either HIDS or
auditing is running.
Although not required, HP recommends you reboot the system when changing the
audit_track_paths tunable to enable or disable the recording of absolute pathnames.
Otherwise, Audit or HP-UX HIDS might not resolve and report absolute pathname consistently.
diskaudit_flush_interval — Defines the periodic time interval (in seconds) between two
consecutive flushes of audit records buffered in the kernel memory. Set the value of this tunable so
that buffers are cleaned when they are approximately half full, or are idle for a long time but still
holding some data in the buffer. Keeping the tunable value too low results in flushing too soon and
can lead to too many small write operations that can affect performance. On the other hand,
keeping the value too high might lead to high unflushed memory consumption. Valid values are 1 to
100, inclusive; HP recommends a value from 3 to 6. The default value is 5.
The kctune command is the administrative command for HP-UX kernel tunable parameters. It
provides information about tunable parameters and their values, and makes changes to tunable
values. For more information, see kctune(1M).
Self-auditing programs
To reduce the amount of low-level log data and to provide a higher-level recording of some typical
system operations, a collection of privileged programs are given capabilities (privileges) to perform
self-auditing. Most of these programs generate audit data under a single event category. For
example, audsys(1M) generates the audit data under the event admin. Other programs might
generate data under multiple event categories. For example, the telnetd(1M) generates data under
the events login and ipcopen. For a list of predefined event categories, see audevent(1M).
This section contains a description and list of the self-auditing programs and DLKMs on HP-UX 11i v3
that produce self-audit event records with self-audit text. The event names (in parentheses) indicate the
event categories under which the self-audit record is generated.
Note:
The list assumes the installation of AuditExt v3.1 and corresponding
patches as specified in the AuditExt v3.1 Release Notes.