This appendix provides information
on how to use enhanced security to configure your system to meet or exceed
a C2 level of security as described in the
Trusted Computer System Evaluation Criteria
(also called the
Orange Book).
An on-line version of the
Orange Book
is available
at
http://nsi.org/Library/Compsec/orangebo.txt.
The system is also designed to meet the F-C2 functional class, as defined in the Information Technology Security Evaluation Criteria (ITSEC).
When a system is used in accordance with a site security policy, a C2 network, and the appropriate physical security, a C2 level environment can be achieved; expanding the protection of user and system information while maintaining full compatibility with existing Tru64 UNIX security mechanisms
Contact your sales representative for the latest evaluation and certification status of the Tru64 UNIX product.
This appendix contains the following information:
E.1 Establishing a Security Policy
A security policy is a statement of the rules and practices that regulate how an organization maintains its computing environment and how the organization manages, protects, and distributes sensitive information. A security policy should include:
Documenting the process for maintaining and changing the security policy.
Establishing the action taken by system administrators in the case of a break-in or other breach of security.
Determining your site's audit policy including the following:
User activities you want to audit.
Locally defined audit events.
Location for audit logs.
Procedures for the review of audit logs.
Whether the auditing of login attempts to unrecognized account
names (login_uname) is needed.
Using this attribute can
put passwords, entered out of sequence, with respect to the prompts, in the
audit logs.
Establishing a service access policy (supervision, passwords).
Determining the
umask
for your system (022
is the system default).
Establishing a schedule for verifying the integrity, including passwords, of your system and site.
Defining the boundaries of the system and the interfaces (telnet,
ftp, for example) between the boundaries.
Establishing a magnetic media policy, especially for removable media.
Determining which application software will be installed on your system and what its security implications are.
Determining the password policy for your users. Some considerations follow:
Long passwords are hard to break, but inevitably they are written down.
If user-chosen passwords are used, only one person knows the password.
Machine-generated passwords are harder to break, but also harder to remember and will probably be written down.
Determining the login controls for your system.
Establishing a procedure for system startups, shutdowns and upgrades.
Establishing a backup and recovery procedure.
Determining who the system administrators (root access) are and exactly what their functions are to be.
Establishing one or more secure account prototypes (Local Templates) for creating user accounts using the Account Manager program.
Establishing a secure account template with startup files
in the
/usr/skel
directory.
Determining the access restrictions for each object on your system.
Establishing the groups for your system.
Determining the access restrictions for each user on your system.
Recording for reference all the programs on your system that can set the UID or GID.
Determining the export restrictions for file systems on your system.
Establishing change control procedures for subjects and objects on your system.
Establishing a procedure for physical access changes.
Establishing the physical access requirements for your system and console.
Establishing the physical access requirements for your network components.
Establishing your network security policy.
Determining which remote access programs (ftp,
telnet, and such) will run on your system.
Determining the remote systems that will have access to your system.
Determining the console password requirements for your system and site.
Establishing a modem policy. (Consider authentication, the configuration for dial-in and dial-out access.)
Creating a "User Security Training" course or document for your site.
Documenting how users will access the system: operating system, database, or application menu.
Determining the secure devices for your site.
After your system is configured, the configuration files should change little and always in predictable ways. During periodic security reviews of your system, compare the base configuration files for content and permissions to the current files. Document the base system and network configuration by obtaining a listing of the following files and attaching them to the security policy:
/usr/skel/.profile /usr/skel/.cshrc /usr/skel/.login /var/yp/<domain>/auto.master /var/yp/<domain>/auto.home /var/yp/<domain>/auto.### /etc/auto.* /etc/auth/* /etc/dumpdates /etc/ethers /etc/exports /etc/fstab /etc/ftpusers /etc/group /etc/hosts /etc/hosts.equiv /etc/inetd.conf /etc/motd /etc/netgroups /etc/passwd /etc/profile /etc/csh.login /etc/logout if used /etc/remote /etc/resolv.conf /etc/rc.config /etc/rc.site optional, used with /etc/rc.config /etc/screend.config /etc/services /etc/sec/site_events /etc/sec/audit_events /etc/sec/auditd_clients /etc/sec/event_aliases /etc/sec/auditd_cons /etc/sec/audit_loc /etc/securettys /etc/svc.conf /tcb/* /usr/adm/messages /var/spool/uucp/Permissions if UUCP is active /var/spool/uucp/Systems if UUCP is active /var/spool/uucp/remote.unknown if UUCP is active /var/adm/cron/at.allow /var/adm/cron/at.deny /var/adm/cron/cron.allow /var/adm/cron/cron.deny /var/adm/crontab/ any files in these directories /var/tcb/* /var/yp/src/*
The Orange Book's requirements for a minimum C2 system is that the configuration for Tru64 UNIX is as follows:
The requirement for a site security policy is met when you establish a security policy for your site as described in the Site Security Handbook (RFC 1244). Your security policy should be in written form.
Users should be able to change their own passwords and the passwords should be machine generated. (Recommended by the Green Book.) See Section E.3.2 for password configuration details.
The requirement for users to be notified of their last login is met when enhanced security is configured.
The discretionary access control requirement is met by configuring
ACLs (access control lists) on your system.
See
Section 2.3
for more information on configuring ACLs.
Do not use the
/usr/groups
approach for small systems (less than 32 users).
The object reuse requirement mandates that workstations be
configured with no
xhost
entries.
Shared memory separation must be enabled.
You do this by answering
yes when
secconfig
asks if you want to disable segment
sharing.
The audit subsystem needs to be configured and available for use. See Chapter 3 for information on the audit subsystem.
The ability to verify the integrity of the trusted computing
base (TCB) is met by running the
fverify
and
authck
commands periodically as determined by your site's security
policy.
After you have installed the Tru64 UNIX software subsets (including
the optional enhanced security and documentation extension subsets) onto your
system, you will start the software configuration.
During the configuration,
several of the selections you make will affect the security of your system.
The assumption is that you need the maximum practical security configuration
for your system.
The following sections document the areas of concern for
security and the recommended configuration.
E.3.1 General Configuration
General system configurations include:
Ensure that the
/tmp,
/var/tmp, and
/var/spool
directories are on a file system
other than that of the root (/) and
/usr
directories.
Do not run Netscape Navigator with JAVA enabled. Only enable JAVA when you are connected to known secure sites.
Avoid connecting systems to the Internet whenever possible.
E.3.2 Enhanced Passwords and Authentication Using secconfig
Select the enhanced password attributes to match your site's security policy. See Section A.2.2 for details.
Use the following password attributes (defaults are defined in the
/etc/auth/system/default
file):
Select either user-chosen or machine-generated passwords and configure as follows:
For user-chosen passwords (u_pickpw
field
in the
/etc/auth/system/default
file), set the minimum
length to 8 characters (u_minlen#8) and the maximum length
to 80 characters (u_maxlen#80).
For machine-generated passwords (no
u_pickpw
field in the
/etc/auth/system/default
file), set the minimum
length to 0 characters (u_minlen#0) and the maximum length
to 10 characters (u_maxlen#10).
The value of 0 for minimum
length causes Tru64 UNIX to use the
Green Book
algorithm
to generate passwords.
Ensure that null passwords cannot be used (u_nullpw@)
Set the password expiration time to 180 days (u_exp#15724800)
Set the account lifetime set to 360 days (u_life#31449600)
Set the depth of the password history file to 9 (u_pwdepth#9)
Set the number of tries to enter a password before locking
the account to 5 (u_maxtries#5)
Set new accounts to be locked (u_lock)
Set the maximum number of login attempts before the terminal
is locked to 10 (t_maxtries#10)
Set the delay between attempted logins to 2 seconds (t_logdelay#2)
Select triviality checks (u_restrict) and
site password restrictions (u_policy)
Use the Account Manager (dxaccounts) or the
edauth
program to change the default settings.
E.3.3 Libraries
The libraries on your system can be used in an attack. Secure the libraries as follows:
Disable segment sharing by answering
yes
when prompted by
secconfig.
Verify that the permissions are correct (no write access except
for the owner) and that the ownership is root on shared libraries (/usr/shlib/*.so), including any linked target files.
Use the
ls -lL
command for this procedure.
E.3.4 Account Prototypes and Templates
The account templates used to create user account startup files are
/usr/skel/.login,
/usr/skel/.cshrc
and
/usr/skel/.profile.
Account prototypes (referred to as Local Templates) are provided by
the Account Manager (dxaccounts).
The prototypes let you
set attributes like password expiration and login attempts for individual
user accounts.
If an attribute value is not specified in the local template,
the value from the
default
file is used.
The system-wide
default attribute values are stored in the
/etc/auth/system/default
file.
System default values are set with the
/usr/tcb/bin/edauth
command.
Configure user accounts as follows:
Using the provided default templates, create account templates that reflect your site's security policy.
Set the
umask
in the
/usr/skel/.login
file.
(HP recommends a value of 027.)
Designate a restricted shell (Rsh) for
users where appropriate.
Verify that each user has a valid entry path (login shell)
on the system.
Users can be placed directly into an application by executing
the application from the user's
/home/.profile
or from
the entry in the
/etc/passwd
file or as a start point for
the user with the execution of a startup program.
If user access is restricted through menu scripts called from
the user's
.profile
file, the scripts should have a
trap
command at the beginning of the file to ensure that Ctrl/C
and other keyboard interrupts are ignored.
E.3.5 Configuring the Audit Subsystem
Before the audit subsystem kernel option can be configured, it needs
to be included for the kernel build.
Use the
sysman auditconfig
utility to configure the audit subsystem any time after the kernel build.
Configure and run audit as follows:
Use the default location for audit logs (/var/audit/auditlog.nnn).
For overflow protection, put the audit logs
on a file system other than root (/) and
/usr.
Establish an alternate location for audit logs to provide
for an overflow of audit log data by editing the
/etc/sec/auditd_loc
file.
Send
auditd
messages to the console (/dev/console).
Set the audit mask to audit
trusted_events
and to log the name of a user (as described in your site policy) who attempts
to log in to an invalid account.
If you are starting the audit daemon from the command line, use the following command:
# /sbin/init.d/audit start
See
Chapter 3
for more information about the audit
subsystem.
E.3.6 Verifying That Your Installation Is Secure
After you have rebooted the system to enable the enhanced security options,
run the
fverify
and
authck
programs
to verify the integrity of your system.
E.3.7 Configuring Network Security
Proper network configuration is a critical part of your secure computing environment. Use the following checklist as an aid to network configuration:
Do not use NIS (Network Information Services, formerly called Yellow Pages) to distribute root account information. See Section A.6 for details.
When using NIS, use the
/etc/yp/securenets
file, as described in
ypserv(8)
Run
ypbind
with the
-S
flag and without the
-ypset
or
-ypsetme
options (default).
If
uucp
is configured on your system, do
the following:
Ensure that the
uucp
account is password
controlled and that a separate
uucp
account is established
for each machine that requires access.
Ensure that the
/var/spool/uucp/Permission
file has only valid entries.
Ensure that the
/var/spool/uucp/Systems
file has only valid entries.
Ensure that the File Transfer Protocol (FTP) is secured and that, if possible, there are no anonymous FTP accounts. If you must use anonymous FTP, ensure the following:
The FTP account has an asterisk in the protected password field.
A
/usr/ftp
home directory is created
for FTP.
Create
/bin
and
/etc
subdirectories
under the
/usr/ftp
directory.
Nothing in the home directory is owned by
ftp.
A public subdirectory is created under the
/usr/ftp
directory for placement and retrieval of transferred files.
User
ftp
should only have write access to the public subdirectory.
Create an
~ftp/etc/passwd
file with only
the
ftp
account and no password.
Copy the
/etc/sia/bsd_matrix.conf
file
to
~ftp/etc/sia/matrix.conf.
Copy
/sbin/ls
to
~ftp/bin/ls.
The login shell for the
ftp
account should
be
/sbin/sink.
Ensure that workstations are using DES-cookie based authentication
(default).
See the XDM-AUTHORIZATION-1 parts of
dtlogin(1)
When
/usr/bin/X11/xhost
is run, nothing
should be reported.
The output should look like the following:
# xhost access control enabled, only authorized clients can connect #
E.3.8 Postinstallation Security Configuration
After the system is installed and configured, perform the activities
in the following sections.
E.3.8.1 umask for Remote Access
Add a
umask
entry as described in your site security
policy to the
/etc/csh.login,
/etc/profile, and
/etc/init.d/inet
files.
(Note that
the
/etc/init.d/inet
file is overwritten during an update
installation.)
E.3.8.2 Devices
Using
/usr/tcb/bin/dxdevices, create the devices
with the security attributes that reflect your site's security policy.
Ensure that terminal ports are readable only by the owner by modifying the remote login shell file as follows:
Add the following to the
/etc/profile
file:
case "$TERM" in none) ;; *) /usr/bin/setacl -b `/usr/bin/tty` ;; esac
Add the following to the
/etc/csh.login
file:
if ($?TERM) then
if ("$TERM" != "none") then
/usr/bin/setacl -b `/usr/bin/tty`
endif
endif
Create and verify accounts as follows:
Create the user accounts for your system using either the
Account Manager (/usr/bin/X11/dxaccounts) or by restoring
the
/usr/users
area and associated files from a previous
system.
Ensure that home directories are mounted with the
noexec,
nosuid, and
nodev
options.
Ensure that CDE users have the autopause feature enabled by using a command similar to the following:
# grep extension.lockTimeout \
~/.dt/sessions/current/dt.resources
A 0 status indicates that the autopause feature is disabled.
Review the
/etc/passwd
and
/var/tcb/files/auth.db
databases to verify that user home directories and passwords are
appropriate.
See System Administration for information on creating user accounts.
Because root access must be carefully controlled and monitored, make sure the following conditions are met:
That all passwords are changed after a system installation or after support vendors have had access to your machine.
That the root password is changed before vendor access is granted to prevent exposure of your password generation methodology.
That the single-user password feature is enabled.
See
sulogin(8)
That using the
su
command to become root
is logged by audit.
That access to the
setuid 0
or
setgid 0
programs on your system is restricted (700, 710, or 711)
That the
/var/spool/cron/crontabs
files
are accessible only by root or the owner.
That root access is restricted to certain devices for login
or that users must use the
su
command to access the root
account.
See
securettys(4)
The logins for the system-supplied UIDs are limited (setting
the
u_lock
field) where appropriate.
The following table
provides the recommended restrictions:
| UID | Recommended login Status |
root |
Restricted |
daemon |
Not allowed |
bin |
Not allowed |
sys |
Not allowed |
uucp |
Restricted |
nobody |
Not allowed |
adm |
Restricted |
lp |
Not allowed |
Review the
/etc/svc.conf
file and ensure that a logical
configuration has been set up for NIS.
Also, if NIS is being used, verify
that the client machines and the server have the correct domain name defined
in the NIS_DOMAIN variable in the
/etc/rc.config
or
/etc/rc.site
file.
Ensure that the network files in the following table are protected:
| File | Comment |
/etc/exports |
Validate the entries.
Avoid using
the
-root=
option if possible.
Use the
-access=<hostname>
and
-ro
options
on all specified file systems |
/etc/hosts |
|
/etc/services |
|
/etc/protocols |
|
/etc/inetd.conf |
|
/etc/hosts.equiv |
Validate that the entries are local hosts. |
/etc/ethers |
|
~username/.rhosts
and
~username/.shosts |
Remove these files or run
rlogind
and
rshd
with the
-l
flag set. |
An important part of your site's security is the physical security of all the components in the environment. Check your physical security as follows:
Verify that the system and its cabling are in a secure environment.
Verify that all network components are physically secured. These include file servers, bridges, routers, hubs/concentrators, gateways, terminal servers, and modems.
From the console prompt, ensure that the boot flags are set according to your site policy using the following command:
>>> show
If your system supports the console password feature, ensure that it is being used. Consult your hardware documentation for information on console password support.
Verify that a console terminal's function keys have not been programmed for login or password information.
Ensure that modems have an automatic disconnect feature. Also make sure modems are in a secure environment.
To ensure the security of application software running on your system, make sure that the following conditions are met:
Restrict any
setuid
or
setgid
programs.
Ensure that any control files and executable files are writable only by the root account.
If a firewall product is installed, see the firewall's documentation for the appropriate configuration information.
If you are running the
screend
program,
configure as described in
screend(8)
If you have tunneling software installed, ensure that it is secure, as described in its documentation.
E.6 Periodic Security Administration Procedures
The frequency of the different classes of review activities is determined by your site's security policy. Perform the following activities on a regular schedule:
Back up the system and its applications.
Review the audit logs.
Review the system accounting logs.
Run the
fverify
and
authck
programs to verify the integrity of your system.
Some public domain programs,
such as
cops
and
tripwire, are useful
to help verify system integrity.
Verify that your system has only necessary and authorized programs.
Verify that compilers are available only on systems used for development.
Verify that your system has only authorized, root-owned
setuid
and
setgid
programs using the following
command:
# find / \( -perm -4000 -o -perm -2000 \) -ls
Review the
/etc/exports
file to verify
that all entries are valid.
Check your user accounts as follows:
Review the
/etc/passwd
file to verify that
all accounts are still valid.
Run the following command to ensure there are no enhanced
profiles (prpasswd
entries) without
/etc/passwd
entries:
# /usr/tcb/bin/convuser -dN
Verify that the home directory permissions are set according to your site policy.
Verify that all files in a user's home directory are owned by that user.
Verify that each user has a valid entry path (login shell) on the system.
Verify that entries in a
.rhosts
or
.netrc
file are appropriate.
Verify that that any
.exrc
and
.netrc
files are located only in user home
directories.
Review the
hosts.equiv
file for valid entries.
Ensure that entries in the following files do not conflict with system parameters and that the files are protected by a permission of 755:
.profile .login .cshrc .kshrc .logout
Verify that user masks are set in accordance with your site policy using the following command:
# grep umask /usr/users/*/.*
The system default mask is set to 022.
Review the
/dev
directory and verify the
following:
That special devices have the proper permission.
That access to devices such as
mem,
kmem, and
swap
are properly protected (440).
That terminal ports are readable only by the owner.
That users do not own any devices other than their terminal device and their printer.
Verify that your modem authentication is functioning as intended.
Use the following commands to verify that the same user name
is not used for different UIDs, including between the local
/etc/passwd
file and NIS:
# ( ypcat passwd ; grep -v '^[-+]' /etc/passwd ) | \
sort -t: -k 1,1 -k 3,3n -u | \
awk -F: '{if (n == $1) {print p; print}; \
n=$1; p=$0}' | \
more
Use the following commands to verify that no user names use
the same UID, including between the local
/etc/passwd
file
and NIS:
# ( ypcat passwd ; grep -v '^[-+]' /etc/passwd ) | \
sort -t: -k 3,3n -k 1,1 -u | \
awk -F: 'BEGIN {u=-1} {if (u == $3) \
{print p; print}; u=$3; p=$0}' | \
more
Use both of the following commands to verify that all accounts have local or NIS passwords:
# sort -t: -n /etc/passwd | awk -F: '$2 == "" print'
# /usr/tcb/bin/edauth -g | sed -f sed_file | egrep -v \
':u_pwd=[^:]|:u_istemplate:'
The commands in
sed_file
are as follows:
: top
/:\\$/ {
N
b top
}
s/:\\/:/g
s/:[<tab><space>]*:/:/g
s/:[<tab><space>]*:/:/g
Use the following command to validate all the hidden files on your system:
# find / \( -name '.*' ! -name . ! -name .. \) -print
Use the following command to verify that no device files exist
outside the
/dev
directory:
# find / \( -type b -o -type c \) -print
Ensure that entries in the following startup scripts are appropriate and that the files are properly protected:
/sbin/inittab /etc/init.d /sbin/rc?.d ? is the run level
Ensure that the data saved in
/var/adm/crash
in the event of a system crash is accessible only to
root
and
adm
users.
Using a password cracker program such as the public domain
crack
program, ensure that user passwords cannot be determined.
Verify your site's physical security policy.
Verify the permissions and ownership on the following directories are as listed:
| Directory | Permission | Owner | Group |
/ |
755 | root | system |
/bin |
755 | root | system |
/dev |
640 | root or bin | system |
/dev/null |
666 | root | system |
/dev/ttys |
666 | root | system |
/etc |
755 | root | system |
/etc/rc.config |
755 | bin | bin |
/etc/exports |
644 | root | system |
/etc/passwd |
644 | root | system |
/etc/resolv.conf |
644 | root | system |
/etc/screend.config |
755 | root | system |
/etc/sec |
755 | root | system |
/home |
555 | root | system |
/lib |
755 | root | system |
/opt |
755 | root | system |
/sbin |
755 | root | system |
/sys |
755 | root | system |
/tcb |
755 | root | system |
/tmp |
1777 | root | system |
/usr |
755 | root | system |
/usr/bin |
755 | root | system |
/usr/lib |
755 | root | system |
/usr/ucb |
755 | root | system |
/usr/ucb |
755 | root | system |
/var |
755 | root | system |
/var/adm |
755 | root | system |
/var/adm/crash |
700 | root | system |
/var/adm/cron |
755 | root | system |
/var/spool |
755 | root | system |
/var/spool/cron |
755 | root | system |
/var/spool/cron/atjobs |
755 | root | system |
/var/spool/cron/crontabs |
755 | root | system |
/var/spool/cron |
755 | root | system |
/var/tcb |
755 | root | system |
/var/tcb/audit |
755 | root | system |
/var/tcb/bin |
755 | root | system |
/var/tcb/files |
755 | root | system |
E.7 Reference Documents and Verification Tools
The following documents will help you create and maintain a secure computing environment:
Site Security Handbook (RFC 1244).
This handbook is the product of the Site Security Policy Handbook Working
Group, a combined effort of the Security Area and User Services Area of the
Internet Engineering Task Force.
An online copy of this document is available
at
http://www.net.ohio-state.edu/hypertext/rfc1244/toc.html
Tru64 UNIX Installation Guide
Tru64 UNIX Installation Guide — Advanced Topics
Trusted Computer System Evaluation Criteria.
U.S.
Department of Defense, National Computer Security Center, DoD 5200.28-STD,
December, 1985.
This document, known as the
Orange Book
because of the color of its cover, is the U.S.
Government's definitive guide
to the development and evaluation of trusted computer systems.
An online copy
of the
Orange Book
is available at
http://nsi.org/Library/Compsec/orangebo.txt
Password Management Guideline.
U.S.
Department of Defense, (CSC-STD-002-85), April 12, 1985.
This document, known
as the
Green Book
because of the color of its cover,
supports the
Orange Book
by presenting a set of recommended
practices for the design, implementation, and use of password-based user authentication
mechanisms.
An online copy of the
Green Book
is available
at
http://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-002-85.html
The following documents will help you understand security concepts and procedures:
Computer Security Basics - O'Reilly and Associates, Inc.
Practical UNIX Security - O'Reilly and Associates, Inc.
UNIX: Its Use, Control, and Audit - Contact the Institute of Internal Auditors Research Foundation at 249 Maitland Avenue, Altamonte Springs, Florida 32701-4201.
The following tools can help you maintain a secure environment:
crack
— A public domain password-checking
program available at .
tripwire
— An integrity-monitor for
UNIX systems.
The
tripwire
software uses several checksum
and signature routines to detect changes to files and to monitor selected
items of system-maintained information.
The program also monitors for changes
in permissions, links, and sizes of files and directories.
.
COPS
— The Computer Oracle and Password
System (COPS) package from Purdue University examines a system for a number
of known weaknesses and alerts the system administrator to them; in some cases
it can automatically correct these problems.
SATAN
— SATAN is a tool that helps
system administrators recognize several common networking-related security
problems.
It reports the problems without actually exploiting them.
For each
type of problem found, SATAN offers a tutorial that explains the problem and
what its impact could be and what can be done about the problem.
The following script is an example of a tool you can create to extract login and logout information from the audit logs:
#!/usr/bin/ksh -ph
# Script to return summary of login/logout activities on the
# system since the last time it was run.
export PATH=/usr/sbin:/usr/bin:/usr/ccs/bin:/sbin
# where this script should run
Bdir=/var/adm/local
# where to find audit log files
Adir=/var/audit
Ofile="${Bdir}/lasttime"
Nfile="${Bdir}/newtime"
Afile="${Bdir}/lastdata"
Tfile="${Bdir}/lastmsg"
Events="-e trusted_event"
umask 077
# ensure the output format we need from date.
export LANG=C LC_ALL=C
export TZ=:UTC
if [ ! -f "${Ofile}" ]
then
print 700101000001 > "${Ofile}"
touch -t 197001010000.01 "${Ofile}"
fi
date +%y%m%d%H%M%S > "${Nfile}"
curfile=$(auditd -q)
auditd -dx
sleep 20 # give time for compression of the old log
while [ -f "$curfile" -a -f "$curfile".Z ] || [ -f "$curfile" \
-a -f "$curfile".gz ]
do
sleep 2 # wait some more
done
: > "${Afile}"
for af in $(find "$Adir" -name "auditlog.*" -newer "${Ofile}" \
-print | sort)
do
audit_tool -b -t $(<"${Ofile}") -T $(<"${Nfile}") >> \
"${Afile}" -o -Q $Events "${af}" 2>/dev/null
# the suppressed errors are for the {un,}compressed messages
done
TZ=:localtime
if [ -s "${Afile}" ]
then
audit_tool -B -Q "${Afile}" > "${Tfile}"
if [ -s "${Tfile}" ]
then
Mail -s 'login/out audit summary' root < "${Tfile}"
fi
fi
mv -f "${Nfile}" "${Ofile}"
rm -f "${Afile}"
The following is the crontab entry for the above logging script:
0 9 * * * /var/adm/local/lreport