HP UX Auditing System Extensions manual Audit tunable parameters HP-UX 11i v3 only

Audit tunable parameters (HP-UX 11i v3 only)

You can modify the auditing operation dynamically by changing one of the following audit tunable kernel parameters:

•audit_memory_usage — Defines the percentage of physical memory to be used by audit records. If the audit record memory usage exceeds the audit_memory_usage limit, the audit subsystem blocks the system call until memory usage decreases to within the limit. You can change this tunable value at any time. However, you cannot lower its value below the memory currently used by the audit subsystem for records. Valid values are 1 to 10, inclusive. The default is 5.

•audit_track_paths — Enables and disables tracking of current and root directories for the auditing subsystem. When audit_track_paths is set to 0, Audit does not resolve absolute pathnames, and HP-UX HIDS is unable to open the device and collect data. This is because HIDS always expects a complete pathname for its purposes.

Setting the audit_track_paths to 1 enables both Audit and HP-UX HIDS to resolve and report absolute pathnames for their accounting purposes. This also causes additional tracking by the kernel, resulting in a small degradation in performance, even if auditing subsystem is not in use. The tunable is set to 0 (default) when the system is installed without HP-UX HIDS. The tunable is set to 1 when HP-UX HIDS is first installed. You cannot change this tunable when either HIDS or auditing is running.

Although not required, HP recommends you reboot the system when changing the

audit_track_paths tunable to enable or disable the recording of absolute pathnames. Otherwise, Audit or HP-UX HIDS might not resolve and report absolute pathname consistently.

•diskaudit_flush_interval — Defines the periodic time interval (in seconds) between two consecutive flushes of audit records buffered in the kernel memory. Set the value of this tunable so that buffers are cleaned when they are approximately half full, or are idle for a long time but still holding some data in the buffer. Keeping the tunable value too low results in flushing too soon and can lead to too many small write operations that can affect performance. On the other hand, keeping the value too high might lead to high unflushed memory consumption. Valid values are 1 to 100, inclusive; HP recommends a value from 3 to 6. The default value is 5.

The kctune command is the administrative command for HP-UX kernel tunable parameters. It provides information about tunable parameters and their values, and makes changes to tunable values. For more information, see kctune(1M).

Self-auditing programs

To reduce the amount of low-level log data and to provide a higher-level recording of some typical system operations, a collection of privileged programs are given capabilities (privileges) to perform self-auditing. Most of these programs generate audit data under a single event category. For example, audsys(1M) generates the audit data under the event admin. Other programs might generate data under multiple event categories. For example, the telnetd(1M) generates data under the events login and ipcopen. For a list of predefined event categories, see audevent(1M).

This section contains a description and list of the self-auditing programs and DLKMs on HP-UX 11i v3 that produce self-audit event records with self-audit text. The event names (in parentheses) indicate the event categories under which the self-audit record is generated.

Note:

The list assumes the installation of AuditExt v3.1 and corresponding patches as specified in the AuditExt v3.1 Release Notes.

7