-p
-c system_call -t
-s
-uuser-name
-lterminal-name
80 Standard Mode Security Extensions
-f

NOTE: If the primary audit log continues to grow past the FSS point, a system-defined parameter, minfree, can be reached. All auditable actions are suspended for regular users at this point. Restore the system to operation by archiving the audit data, or specifying a new audit log file on a file system with space.

NOTE: If other activities consume space on the file system, or the file system chosen has insufficient space for the AFS size chosen, the File Space Switch point can be reached before the Audit File Switch point.

Choose a file system with adequate space for your audit log files. You can assess the size of your file systems using the bdf command. HP recommends you configure your log files to at least the following parameters:

The file system must have more than 5000 KB available for the primary audit log file.

It must have more than 20% of its total file space available.

TIP: HP recommends that the primary and auxiliary audit log files reside on separate file systems.

The growth of audit log files is closely monitored by the audit overflow monitor daemon, audomon, to insure that no audit data is lost.

Configuring Audit Log Files

Use the audsys command to specify the primary audit log file and the (optional) auxiliary audit log file to collect auditing data. For example:

#audsys -c primary_audit_file -s 5000 -x auxiliary_audit_file -z 2500

This example specifies a primary audit file 5000K in size, and an auxiliary audit file 2500K in size. Refer to audsys(1M) for more information about using the audsys command to configure audit log files.

NOTE: If you specify the name of an existing file as your auxiliary audit log file, the contents of the file will be overwritten.

CAUTION: If the file system containing the primary log file is full and no auxiliary log file is specified, any non root process that generates audit data will block inside the kernel. Also, if a non root process is connected to the system terminal, it will be terminated. For details see the WARNINGS section of the audsys(1M) manpage.

Viewing Audit Logs

Auditing accumulates a lot of data. Use the audisp command to selects the data you want to view:

#/usr/sbin/audisp audit_file

The following options are available with the audisp command:

Displays failed events only.

Displays successful events only.

Displays the selected system call.

Displays start time.

Displays end time.

Displays information for a specific user.

Displays information for a specific terminal.

Page 79 Page 81
Page 80
Image 80
HP UX 11i Role-based Access Control (RBAC) Software manual Viewing Audit Logs, Configuring Audit Log Files
Page 79 Page 81
Top Page Image Contents