HP-UX Reference (11i v3 07/02) - 5 Miscellaneous Topics (vol 9)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

audit_track_paths(5) audit_track_paths(5)

(Tunable Kernel Parameters)

NAME

audit_track_paths - enable/disable tracking of current and root directories for auditing subsystem

VALUES

Failsafe

0 (off)

Default

0 (off)

Allowed values

0 (off) or 1 (on)

Recommended values

1 (on) if Audit is turned on or

HP-UX HIDS is installed,

0 (off) otherwise.

DESCRIPTION

audit_track_paths

is a dynamic tunable and replaces HP-UX HIDS speciﬁc static tunable

enable_idds .

Setting the tunable audit_track_paths

to 1 enables both Audit and HP-UX HIDS to resolve and

report absolute pathnames for their accounting purposes. This also causes additional tracking by the ker-

nel, resulting in a small degradation in performance (and increase in kernel memory usage), even if audit-

ing subsystem is not in use. Although it is not required, but it is highly recommended to reboot the system

when setting the tunable

audit_track_paths

to 1 with the intention to be able to record the absolute

pathnames. Otherwise,

Audit or HP-UX HIDS may not be able to resolve and report absolute pathname

consistently.

When audit_track_paths

is set to 0, Audit will not resolve absolute pathnames, while HP-UX

HIDS

will be unable to open the device and collect data. This is because HIDS always expects a complete

pathname for its purposes.

The tunable is set to Default state when the system is installed without HP-UX HIDS and its value is

set to

0. The tunable is set to 1 when HP-UX HIDS is ﬁrst installed.

Who Is Expected to Change This Tunable?

Administrator with proper privileges can change the value of

audit_track_paths depending on the

restrictions stated below.

Restrictions on Changing

The tunable

audit_track_paths

is a dynamic tunable so any changes to this will take effect immedi-

ately, provided following conditions are satisﬁed:

1) If the new tunable value is 0 (and not

Default), then HPUX HIDS

will not be able to open the IDDS

device; and therefore, it will not be able to run any intrusion detection template that requires system

call audit records. This restriction is enforced to avoid HIDS reporting incomplete or relative path-

names.

2) If

/dev/idds is opened, then the administrator will not be allowed to change the value of the tunable.

3) If the tunable is set to Default, IDDS will self-tune its value to 1 when the IDDS device is opened by

HPUX HIDS.

4) If the tunable value is set to Default, Audit will self-tune its value to 1 at the time of turning ON

auditing.

5) If Audit is already ON, the administrator is not allowed to change the tunable value.

6) If the administrator changes the tunable value from 0 to 1, a reboot of the system is recommended to

avoid reporting of partial pathnames by HP-UX HIDS or Audit.

When Should the Tunable Be Turned On?

The tunable audit_track_paths should be turned ON if either HP-UX HIDS or Audit is going to be

started.

84 Hewlett-Packard Company − 1 − HP-UX 11i Version 3: February 2007