Audit Trails

All auditing data is written to an audit trail. In regular mode, an audit trail is present on file system as a directory and is comprised of one or more log files. The number of log files depends on how many writer threads are used for data logging. And only the entire directory but not any one or more files in the directory represents meaningful data for analysis or display. Contrary to regular mode, a compatibility mode is also provided in the HP-UX 11i version 3 release to generate audit trail that is present as a single file. The compatibility mode is solely supported for backward compatibility and will be obsoleted in any future releases after HP-UX 11i Version 3. See audsys(1M) manual page for more information.

At any time when the auditing system is enabled, at least an audit trail must be present. The trail name and various attributes for the trail can be specified using audsys. When the current trail exceeds a predefined capacity (its Audit File Switch (AFS) size), or when the auditing file system on which it resides approaches a predefined capacity (its File Space Switch (FSS) size), the auditing subsystem issues a warning. When either the AFS or the FSS of the current audit trail is reached, the auditing subsystem looks for an auxiliary trail. If one is available, recording is switched to the auxiliary trail. If no auxiliary trail is specified, the auditing subsystem creates a new audit trail with the same base name but a different timestamp extension and begin recording to it. Audomon also takes a command line to run after a successful audit trail switch to process the last audit trail. Depending on site-specific needs, the processing may involve data backup, archival, moving off site, cleaning up or data reporting. If auto-switch is unsuccessful, warning messages are sent to request appropriate administrator action and the current audit trail continues to grow.

	NOTE: With HP-UX 11i version 3, it is no longer needed to manually and explicitly specify an auxiliary trail for switching. Auditing system does switching audit trails automatically. If autoswitching failed and the current audit trail continues to grow past the FSS point, a system-defined parameter, minfree, can be reached. All auditable actions are suspended for regular users at this point. Restore the system to operation by archiving the audit data, or specifying a new audit log file on a file system with space. If other activities consume space on the file system, or the file system chosen has insufficient space for the AFS size chosen, the File Space Switch point can be reached before the Audit File Switch point.

Choose a file system with adequate space for the audit log files. You can assess the size of the file systems using the bdf command. HP recommends you configure the log files to at least the following parameters:

The growth of audit log files is closely monitored by the audit overflow monitor daemon, audomon, to insure that no audit data is lost.

Configuring Audit Trails

Use the audsys command to specify the primary audit log file and the (optional) auxiliary audit log file to collect auditing data:

#audsys -n -N2 -c my_audit_trail -s 5000

This example starts the audit system and records data in the my_audit_trail directory, using two writer threads. The AFS size is set to 5000K bytes. For more information, see audsys(1M) .

Monitoring and Managing Audit Trails

The audit overflow monitor daemon (audomon) is used to monitor and manage audit trails. The audomon daemon is started automatically when auditing is started at system boot time (AUDITING=1 in /sbin/init.d/auditing). The audomon daemon can also be started by a privileged user. Once started, the audomon daemon monitors the capacity of the current audit trail and the file system it resides on. Following is an example command used to start the audomon daemon:

# audomon -p 20 -t 1 -w 90 -X "/user/local/bin/rcp_audit_trail hostname"

This command starts the audomon daemon with the following behavior, assuming the auditing system was started with the following command:

# audsys -n -N 2 -c /var/.audit/my_trail -s 500

• audomon sleeps at least one minute intervals

• When the size of the current audit trail reaches 4500 Kb, or the file system that the audit trail resides becomes 80% full, the audomon daemon stops recording data to the current audit trail and starts recording a new audit trail: /var/.audit/my_trail.yyyymmddHHMM

• After the switch to the new audit trail succeeds, the audomon daemon invokes the following command:

  sh -c "/usr/local/bin/rcp_audit_trail hostname /var/.audit/my_trail"

  This script is site specific and may be used to copy the old audit trail, perform data backup or archival functions, and create audit reports. For more information about the audomon daemon, see audomon(1).

	CAUTION: If the file system containing the audit trail is full, any non root process that generates audit data will block inside the kernel. Also, if a non root process is connected to the system terminal, it will be terminated. For details see the WARNINGS section of audsys(1M). Do not put audit trail on the root file system.

	TIP: HP recommends that you write a script to carry out your long term strategy for data storage and pass it to the audomon daemon using the -X option.

The audomon command takes the following arguments:

-p fss

The minimum percentage of space left on the file system that contains the primary audit log file before the auditing system switches to the auxiliary log file. The default fss value is 20%.

-t sp_freq

The minimum wakeup interval, in minutes, at which the system prints warning messages for audit log file switch points on the console. The default sp_freq value is 1 minute.

-w warning

The percentage of audit log file space used or minimum file system free space used after which warning messages are sent to the console. The default warning value is 90%.

-X command

The command is executed each time the audomon switches the audit trail.

For more information, see audomon(1M).