08-24-2011 11:19 AM
Despite being set to 1000kb the secondary auditing log files continues to grow beyond the SEC_switch value specified in the /etc/rc.config.d/auditing config file.
-rw------- 1 root sys 1034032 Aug 24 09:51 audfile1
-rw------- 1 root sys 2528230 Aug 24 11:15 audfile2 <----
-rw------- 1 root sys 54 Aug 24 09:15 audnames
AUDEVENT_ARGS1=" -P -F -e moddac -e login -e admin"
AUDOMON_ARGS=" -p 20 -t 1 -w 90"
08-24-2011 10:21 PM
You have specified audfile1 as the primary audit file, and audfile2 as the secondary, or "next" audit file.When the primary file reaches 1000 kB size, the audit subsystem will begin writing to audfile2. At this point, audfile2 becomes the new primary audit file, and there will be no next audit file defined any more.
You should have some process in place (e.g. a cron job or other periodic task) to check if the audit file has switched, and if it has, archive the old audit file and set up a new "next" audit file.
If this is not done and audfile2 reaches 1000 kB size too, the audit subsystem cannot switch anywhere eise: it has no idea where to switch to.
The design of the audit subsystem assumes auditing is serious stuff: it is assumed that losing any audit records might raise national security issues, invoke the wrath of Sarbanes-Oxley auditors or cause something else you really wish to avoid. Therefore, if the system has no file to switch to, it keeps on writing to the current file as long as it can. If the disk holding the current audit file becomes full and there is no next audit file defined and a user process is doing something that requires writing an audit log entry, it is time for drastic measures: the process will be frozen until the audit entry can be successfully written. No audit logging whenever required = no service!
In HP-UX 11.31, there is a facility for auto-generating new audit file names and running a command (e.g. a script) on the previous audit file each time the system switches to a new audit file.