10 More Discussions You Might Find Interesting
1. Shell Programming and Scripting
I am trying to parse the audit log to find a particular date that associated with a user record. The Date and the context of the record that I need to extract from the audit.log are 11-07-2015, the username and the activity he or she performed that day.
Here is my code:
grep -c date -d... (3 Replies)
Discussion started by: dellanicholson
3 Replies
2. SuSE
Dear users,
I have SLES 11 and SLES 10 servers.
I'd like to receive an alert when audit log files reach certain percentage of full.
1. Is '/etc/audit/auditd.conf' the right file to modify?
2. I'd like to receive email alert. Can I specify my email in this parameter 'action_mail_acct... (1 Reply)
Discussion started by: JDBA
1 Replies
3. Shell Programming and Scripting
Hi,
I would like to get the audit log with username, directory and the date whenever user fires 'rm' command anywhere in the file locations.
Is there any possibility to capture the 'rm' command and its parameters from any environment by the single function ?
Please advise me.
... (4 Replies)
Discussion started by: Joviac
4 Replies
4. AIX
Dear All
When I start the AIX(6100-06)audit subsystem.
the log will save in /audit/stream.out (or /audit/trail), but in default when /audit/stream.out to grow up to 150MB.
It will replace the original /audit/stream.out (or /audit/trail).
Then the /audit/stream.out become empty and... (2 Replies)
Discussion started by: nnnnnnine
2 Replies
5. Solaris
How do i find if audit logs is secured inside Solaris 10?
· Verify that that audit log files are secured and owned appropriately.
this is the question (1 Reply)
Discussion started by: werbotim
1 Replies
6. Solaris
I am aware that the timestamps of the audit log files are in the following format :
file, 2011-09-13 07:40:24 .000 -4
Is there anyway that I can display the timestamps in local time format.
Thanks for the help.
---------- Post updated at 02:18 PM ---------- Previous update was at 01:06... (0 Replies)
Discussion started by: chinchao
0 Replies
7. Cybersecurity
Hi,
I keep encountering events in the BSM/C2 logs which shows that the audit-user who performed the event is the user (e.g. ongkk in the example below). However, the user is able to show me that he wasn't logged in at that time nor have the rights to perform the event (e.g. su in this example).... (5 Replies)
Discussion started by: BERNIELEE68
5 Replies
8. Solaris
hi all,
i enabled audit in my server it is working fine, now i want to delete old logs from audit file ,plz find a solution for it,
Regards
spandan (2 Replies)
Discussion started by: spandhan
2 Replies
9. AIX
Hi guys,
I've googled this quite a bit, and tried searching on these forums, but haven't found a solution to my problem. I wanted to inquire about AIX's audit subsystem - more specifically, how to rotate its log file.
So far I've been able to find how to rotate AIX syslog log files, and I... (2 Replies)
Discussion started by: w1r3d
2 Replies
10. Solaris
I got a lot of this message in my /var/audit log
how can I exclude this message?
header,127,2,invalid event number,fe,hostsol1.com.sg,2007-12-21 00:10:01.001 +08:00,argument,1,0x5,processor ID,argument
,2,0x3,flag,text,P_STATUS,subject,zhang1,root,root,root,root,18228,576129155,291 131094... (1 Reply)
Discussion started by: geoffry
1 Replies
auditconfig(8) System Manager's Manual auditconfig(8)
NAME
auditconfig, audit_setup - Audit subsystem configuration graphical interface (Enhanced Security)
SYNOPSIS
/usr/sbin/sysman auditconfig
NOTE: The audit_setup utility has been replaced by the auditconfig graphical interface.
DESCRIPTION
The graphical user interface is used interactively to establish the audit environment on your system. The interface can be selected from
the Sysman menu, syman_station (including PC clients), or it can be started from the command line. See the sysman(8) and syman_station(8)
reference pages for more details.
If a kernel rebuild is required as part of the configuration, auditconf guides the user through the rebuild and reboot. The auditconfig
interface configures the following aspects of the audit subsystem: Location of the audit logs. The /var/audit/ directory is the default
area. Action for the audit subsystem to take if the file space allocated for audit logs is exhausted. Trimming of audit logs. Enable
accepting audit data from remote systems. Select the profiles/categories of events to be audited. Include environment strings with an or
system call.
You must be root to run
FILES
/etc/sec/event_aliases
A set of aliases by which logically related groupings of events can be constructed. You can modify this set of aliases to suit your
site's requirements.
/etc/sec/auditmask_style
Auditmask style selections.
/etc/sec/auditd_clients
A list of hosts from which audit data can be accepted.
/etc/sec/auditd_loc
A list of alternative locations in which auditd stores audit data when an overflow condition is reached.
/etc/sec/audit_events
A list of all security-relevant system calls and trusted (application) events. You can modify this file or use it as a template.
/etc/sec/file_objects/*
The list of files that auditconfig used to enable object selection or deselection.
/etc/rc.config.common
The cluster-wide rc variables for the audit subsystem.
/etc/sec/rc_audit_events
Used for input to for audit events during system initialization.
/etc/sec/fs_objects
Created when object (de)selection is derived from a profile(category). It contains the selected profile's entries of file objects.
RELATED INFORMATION
Commands: auditmask(8), auditd(8), sysman(8), sysman_station(8)
Security, System Administration delim off
auditconfig(8)