Audit trail doesn't rotate (1080 Views)
Reply
Honored Contributor
Viktor Balogh
Posts: 1,007
Registered: ‎03-15-2009
Message 1 of 8 (1,080 Views)
Accepted Solution

Audit trail doesn't rotate

[ Edited ]

Hi All,

 

I have a question regarding audit trail location. Our system is an HP-UX 11.31, the March 2011 QPK is installed. The audit subsystem  is set to change the trail file every 10MBs, yet it doesn't seem to change and I end up with a minus percentage in the o/p of audsys:

 

cldbpr1:/var/adm# audsys

auditing system is currently on

current trail: /var/.audit/audtrail.20110829_1914

next    trail: none

statistics-     afs Kb  used Kb  avail %    fs Kb  used Kb  avail %

current trail:    10240    12062      -17 39321600 31537632       20

next    trail: none

 

auditing system is actively writing to 1 file(s)

cldbpr1:/var/adm#



The audit subsystem was restarted recently after the trail file was too large. Is this a known bug or something?

Thank you for any idea helping to solve this problem.

 

Regards,

Viktor

****
Unix operates with beer.
Please use plain text.
Honored Contributor
Viktor Balogh
Posts: 1,007
Registered: ‎03-15-2009
Message 2 of 8 (1,072 Views)

Re: Audit trail doesn't rotate

this is from /etc/rc.config.d/auditing, I have only a single audfile specified, and 10MB as switch parameter.

 

# grep -v ^# /etc/rc.config.d/auditing

AUDITING=1
PRI_AUDFILE=/var/.audit/audtrail
PRI_SWITCH=10240
SEC_AUDFILE=/var/.audit/audtrail
SEC_SWITCH=10240
AUDEVENT_ARGS1=" -P -F   -e moddac -e login -e admin -s chmod -s chown -s .chmod_link -s stime -s acct -s reboot -s .set_sys_info -s umask -s swapon -s settimeofday -s fchown -s fchmod -s setrlimit -s .priv_grp_ctl -s plock -s semop -s .setmemwindow -s setdomainname -s setacl -s fsetacl -s setaudid -s setaudproc -s setevent -s audswitch -s audctl -s mpctl -s adjtime -s serialize -s lchown -s sched_setparam -s sched_setscheduler -s clock_settime -s .perf_tool_ctl -s setrlimit64 -s modload -s moduload -s modpath -s getksym -s .kernel_module_ctl -s modstat -s .processor_ctl -s acl -s .p2p_bcopy_ctl -s .gang_sched_ctl -s .mrgctl -s settune -s pset_assign -s pset_bind -s pset_setattr -s pset_ctl -s __pset_rtctl -s .perf_ctl -s semtimedop -s .audit_tag_ctl -s .postwait_ctl -s .setaudevent -s .procsm_setop -s .cachefsstat -s swapctl -s .audit_ctl -s .proc_mgmt_ctl -s .cell_olstar_lock -s .cell_olstar_specify -s .cell_olstar_backout -s .cell_olstar_unlock -s .cell_olstar_operate"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDEVENT_ARGS4=" -p -f   -s .cmpt_rules -s .file_sec_ctl -s .proc_sec_ctl -s .sendfile_by_name -s accept -s access -s bind -s chdir -s chroot -s close -s connect -s creat -s execv -s execve -s exit -s fattach -s fchdir -s fcntl -s fdetach -s fork -s fstat -s fstat64 -s ftruncate -s ftruncate64 -s getaccess -s kill -s link -s lockf -s lockf64 -s lstat -s lstat64 -s mkdir -s mknod -s mlock -s mlockall -s mmap -s mmap64 -s mount -s mq_close -s mq_open -s mq_unlink -s msgctl -s msgget -s munlock -s munlockall -s munmap -s open -s pipe -s pset_create -s pset_destroy -s ptrace -s recv -s recvfrom -s recvmsg -s rename -s rmdir -s rtprio -s sem_close -s sem_open -s sem_unlink -s semctl -s semget -s send -s sendfile -s sendfile64 -s sendmsg -s sendto -s setgid -s setgroups -s setpgid -s setpgrp -s setpgrp3 -s setpriority -s setregid -s setresgid -s setresuid -s setsockopt -s setuid -s shm_open -s shm_unlink -s shmat -s shmctl -s shmdt -s shmget -s shutdown -s sigqueue -s socket -s socketpair -s stat -s stat64 -s symlink -s truncate -s truncate64 -s ttrace -s ulimit -s umount -s umount2 -s unlink -s vfork -s vfsmount"
AUDOMON_ARGS=" -p 20 -t 1 -w 90"
#

 

****
Unix operates with beer.
Please use plain text.
Acclaimed Contributor
James R. Ferguson
Posts: 21,184
Registered: ‎07-06-2000
Message 3 of 8 (1,058 Views)

Re: Audit trail doesn't rotate


Viktor Balogh wrote:

this is from /etc/rc.config.d/auditing, I have only a single audfile specified, and 10MB as switch parameter.

 

# grep -v ^# /etc/rc.config.d/auditing

AUDITING=1
PRI_AUDFILE=/var/.audit/audtrail
PRI_SWITCH=10240
SEC_AUDFILE=/var/.audit/audtrail
SEC_SWITCH=10240
...


Viktor:

 

I suspect that the fact that the name of the primary and secondary audit files being the *same* is the problem.  You may be doing a no-op switch.

 

Matti had an excellent post recently regarding audit file switches here:

 

http://h30499.www3.hp.com/t5/Security/Auditing-Why-does-the-auditing-log-files-continues-to-grow/m-p...

 

Regards!

 

...JRF...

Please use plain text.
Honored Contributor
Viktor Balogh
Posts: 1,007
Registered: ‎03-15-2009
Message 4 of 8 (1,055 Views)

Re: Audit trail doesn't rotate

Hi James,

 

Good point, this time I overlooked that one. The audsys output stated that the next trail is "none". This is a complicated case as I don't even have a remote access...

 

I will comment the SEC_AUDFILE and the SEC_SWITCH part and give a feedback...

 

Thanks,

Viktor

****
Unix operates with beer.
Please use plain text.
Honored Contributor
Viktor Balogh
Posts: 1,007
Registered: ‎03-15-2009
Message 5 of 8 (1,033 Views)

Re: Audit trail doesn't rotate

James,

 

Thank you for pointing out the error in the audit configuration. Now the setup looks like this:

 

PRI_AUDFILE=/var/.audit/audtrail
PRI_SWITCH=10240
SEC_AUDFILE=*
SEC_SWITCH=0


 

It works as expected:

 

cldbpr1:/# audsys

auditing system is currently on

current trail: /var/.audit/audtrail.20110907_1105

next    trail: none

statistics-     afs Kb  used Kb  avail %    fs Kb  used Kb  avail %

current trail:    10240     7144       30 39321600  6513248       83

next    trail: none

 

auditing system is actively writing to 1 file(s)

cldbpr1:/#  ls -lrtd /var/.audit/audtrail* | tail

drwx------   2 root       sys             96 Sep  7 08:55 /var/.audit/audtrail.20110907_0855

drwx------   2 root       sys             96 Sep  7 09:10 /var/.audit/audtrail.20110907_0910

drwx------   2 root       sys             96 Sep  7 09:25 /var/.audit/audtrail.20110907_0925

drwx------   2 root       sys             96 Sep  7 09:40 /var/.audit/audtrail.20110907_0940

drwx------   2 root       sys             96 Sep  7 09:54 /var/.audit/audtrail.20110907_0954

drwx------   2 root       sys             96 Sep  7 10:07 /var/.audit/audtrail.20110907_1007

drwx------   2 root       sys             96 Sep  7 10:20 /var/.audit/audtrail.20110907_1020

drwx------   2 root       sys             96 Sep  7 10:36 /var/.audit/audtrail.20110907_1036

drwx------   2 root       sys             96 Sep  7 10:51 /var/.audit/audtrail.20110907_1051

drwx------   2 root       sys             96 Sep  7 11:05 /var/.audit/audtrail.20110907_1105

cldbpr1:/#



Thank you,

Viktor

****
Unix operates with beer.
Please use plain text.
Advisor
Mohammed.Muneer
Posts: 29
Registered: ‎12-27-2009
Message 6 of 8 (660 Views)

Re: Audit trail doesn't rotate

Hi All,

 

just wanna know, how you will rotate the audit logs, since it is increasing in numbers. Any option available in 11.31 or manual script needs to be deploy.

 

 

 

Regards,

MMM

Please use plain text.
Honored Contributor
Viktor Balogh
Posts: 1,007
Registered: ‎03-15-2009
Message 7 of 8 (653 Views)

Re: Audit trail doesn't rotate

Hello Mohammed,

 

The log rotation is done by the audit subsystem, but for deleting the old logs which have been already written to tape we use a find-rm oneliner combo from cron. As far as I know you could specify some script in the config file of the audit subsystem, so that at switching the old logs get archived and deleted.

 

Regards,

Viktor

****
Unix operates with beer.
Please use plain text.
Advisor
Mohammed.Muneer
Posts: 29
Registered: ‎12-27-2009
Message 8 of 8 (649 Views)

Re: Audit trail doesn't rotate

Hi Viktor,

 

Actually my requirement is to write the audit logs in one file only and then rotate it accordingly.  there is no switching of audit logs.

 

So how to rotate the logs of below configuration ...

 

AUDITING=1
PRI_AUDFILE=/audit/.secure/etc
PRI_SWITCH=10240
SEC_AUDFILE=*
SEC_SWITCH=0
AUDEVENT_ARGS1=" -P -F   -e create -e delete -e moddac -e modaccess -e removable -e login -e admin -s creat -s mount -s umount -s reboot -s rename -s mkdir -s rmdir -s shutdown -s pset_destroy -s __pset_rtctl -s .perf_ctl -s .audit_tag_ctl -s .proc_sec_ctl"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDEVENT_ARGS4=" -p -f   -s .sendfile_by_name -s accept -s access -s acct -s acl -s adjtime -s bind -s chdir -s chmod -s chown -s chroot -s clock_settime -s close -s connect -s execv -s execve -s exit -s fattach -s fchdir -s semctl -s semget -s semop -s semtimedop -s send -s sendfile -s sendfile64 -s sendmsg -s sendto -s serialize -s setacl -s setaudid -s setaudproc -s umount2 -s unlink -s vfork -s vfsmount"
AUDOMON_ARGS=" -p 20 -t 1 -w 80"

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation