All auditing data is written to an audit trail.
In regular mode, an audit trail is present on file system as a directory
and is comprised of one or more log files. The number of log files
depends on how many writer threads are used for data logging. And
only the entire directory but not any one or more files in the directory
represents meaningful data for analysis or display. Contrary to regular
mode, a compatibility mode is also provided in the HP-UX 11i version
3 release to generate audit trail that is present as a single file.
The compatibility mode is solely supported for backward compatibility
and will be obsoleted in any future releases after HP-UX 11i Version
3. See audsys(1M) manual page for more information.
At any time when the auditing system is enabled, at least an
audit trail must be present. The trail name and various attributes
for the trail can be specified using audsys. When
the current trail exceeds a predefined capacity (its Audit File Switch
(AFS) size), or when the auditing file system on which it resides
approaches a predefined capacity (its File Space Switch (FSS) size),
the auditing subsystem issues a warning. When either the AFS or the
FSS of the current audit trail is reached, the auditing subsystem
looks for an auxiliary trail. If one is available, recording is switched
to the auxiliary trail. If no auxiliary trail is specified, the auditing
subsystem creates a new audit trail with the same base name but a
different timestamp extension and begin recording to it. Audomon also
takes a command line to run after a successful audit trail switch
to process the last audit trail. Depending on site-specific needs,
the processing may involve data backup, archival, moving off site,
cleaning up or data reporting. If auto-switch is
unsuccessful, warning messages are sent to request appropriate administrator
action and the current audit trail continues to grow.
Choose a file system with adequate space for the
audit log files. You can assess the size of the file systems using
the bdf command. HP recommends you configure the
log files to at least the following parameters:
The file system must have more than 5000 KB available for the primary
audit log file.
It must have more than 20%
of its total file space available.
The growth of audit log files is closely monitored
by the audit overflow monitor daemon, audomon,
to insure that no audit data is lost.
Configuring Audit Trails
Use the audsys command to specify
the primary audit log file and the (optional) auxiliary audit log
file to collect auditing data:
#audsys -n -N2 -c my_audit_trail -s 5000
This example starts the audit system and records
data in the my_audit_trail directory, using two
writer threads. The AFS size is set to 5000K bytes. For more information,
see audsys(1M) .
Monitoring and Managing Audit Trails
The audit overflow monitor daemon (audomon) is used to monitor and manage audit trails. The audomon daemon is started automatically when auditing is started at system
boot time (AUDITING=1 in /sbin/init.d/auditing). The audomon daemon can also be started by
a privileged user. Once started, the audomon daemon
monitors the capacity of the current audit trail and the file system
it resides on. Following is an example command used to start the audomon daemon:
# audomon -p 20 -t 1 -w 90 -X "/user/local/bin/rcp_audit_trail hostname"
This command starts the audomon daemon with the following behavior, assuming the
auditing system was started with the following command:
# audsys -n -N 2 -c /var/.audit/my_trail -s 500
audomon sleeps at least one minute
When the size of the current audit trail reaches 4500
Kb, or the file system that the audit trail resides becomes 80% full,
the audomon daemon stops recording data to the
current audit trail and starts recording a new audit trail: /var/.audit/my_trail.yyyymmddHHMM
After the switch to the new audit trail succeeds,
the audomon daemon invokes the following command:
sh -c "/usr/local/bin/rcp_audit_trail hostname /var/.audit/my_trail"
This script is site specific
and may be used to copy the old audit trail, perform data backup or
archival functions, and create audit reports. For more information
about the audomon daemon, see audomon(1).
|TIP: HP recommends that you write a script to carry out your long
term strategy for data storage and pass it to the audomon daemon using the -X option.|
The audomon command takes the
- -p fss
The minimum percentage of
space left on the file system that contains the primary audit log
file before the auditing system switches to the auxiliary log file.
The default fss value is 20%.
- -t sp_freq
The minimum wakeup interval,
in minutes, at which the system prints warning messages for audit
log file switch points on the console. The default sp_freq value is 1 minute.
- -w warning
The percentage of audit
log file space used or minimum file system free space used after which
warning messages are sent to the console. The default warning value is 90%.
- -X command
The command is executed each time the audomon switches
the audit trail.
For more information, see audomon(1M).