Monitoring Resources

Today's client server architecture minimizes the number of users who actually log in to a system. They access the information over the network, utilizing services provided by software on the server. Monitoring the resources being utilized by the system will give a more accurate view of what is happening on a system. There are many utilities which report on the use of system resources. The two main systems which report consolidated use information are the accounting and auditing packages.

Accounting

The accounting package was built for UNIX systems to provide usage information to billback resource consumption on timesharing systems. Accounting software is structured as a set of tools (consisting of both C programs and shell procedures) that can be used to build accounting systems. The accounting system reports connect time, which is handled by various programs that write records into /etc/utmp , disk usage, file input and output, printer usage, CPU consumption, and memory utilization. This information can be reported by user or process. Per process accounting is performed by the HP-UX system kernel. Upon termination of a process, one record per process is written to a file, normally /var/adm/pacct .

HP-UX Auditing

The purpose of the auditing system is to record instances of access by subjects to objects and to allow detection of any attempts to bypass the protection mechanism and any misuses of privileges, thus acting as a deterrent against system abuses and exposing potential security weaknesses in the system.

• User and Event Selection ” The auditing system provides administrators with a mechanism to select users and activities to be audited . Users are assigned unique identifiers called audit IDs by the administrator which remain unchanged throughout a user's history. The audusr command is used to specify those users who are to be audited. The audevent command is used to specify system activities (auditable events) that are to be audited. Auditable events are classified into several categories, illustrated by the event category list at the end. (An event category consists of a set of operations that affects a particular aspect of the system.)

• Self-auditing Programs ” To reduce the amount of log data and to provide a higher-level recording of some typical system operations, a collection of privileged programs are given capabilities to perform self-auditing. This means that the programs can suspend the currently specified auditing on themselves and produce a high-level description of the operations they perform. These self-auditing programs include: at, chfn, chsh, crontab, login, newgrp, passwd, audevent, audisp, audsys, audusr, cron, init, lpsched, pwck, and sam. Note that only these privileged programs are allowed to do self-auditing, and that the audit suspension they perform affects only these programs and does not affect any other processes on the system.