https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6139069#M484805 <P>Yes, the audlog20MB will be a binary logfile that can only be read using a tool like audisp.</P><P>&nbsp;</P><P>If you are logging only root and oracle users, then:</P><PRE>audisp -e delete -u oracle /mydir/audlog20MB</PRE><P>&nbsp;should display all file removals done by user "oracle".</P><P>&nbsp;</P><P>Flushing a file is a little bit more tricky, since it is essentially just opening a file for writing, with the O_TRUNC option.</P><P>So you would have to run something like:</P><PRE>audisp -e open -u oracle /mydir/audlog20MB</PRE><P>&nbsp;and then use grep or similar to find only the interesting events from the output.</P><P>&nbsp;</P><P>Unfortunately I don't have an example of 11.23 audisp output available to me (my test server is not in Trusted mode and does not have the Standard Mode Security Extensions installed). So I cannot design a suitable filter command for you.</P><P>&nbsp;</P> Thu, 18 Jul 2013 13:26:45 GMT Matti_Kurkela 2013-07-18T13:26:45Z https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6057531#M484063 <P>Hi ,</P><P>&nbsp;</P><P>What is the system call from unix end to flush or nullify a file.</P><P>am thinking of starting auditing of my hpux boxxes 11.23 , &nbsp;wherein some major system calls to be monitored for some users.</P><P>like root oracle , application user.</P><P>&nbsp;</P><P>what should i use "audevent -P -s ????" &nbsp;here to catch hold of someone trying to flush a file &nbsp;or flushed a file .</P> Wed, 08 May 2013 08:20:35 GMT https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6057531#M484063 coollllllllllll 2013-05-08T08:20:35Z https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6057809#M484065 <P>To catch trying to reset the EOF of a file, you need to look for open with O_TRUNC.</P> Wed, 08 May 2013 09:54:51 GMT https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6057809#M484065 Dennis Handly 2013-05-08T09:54:51Z https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6058197#M484075 <P>Hi Dennis ,</P><P>&nbsp;</P><P>Thanks</P><P>Also i have observed that "rm " is not getting captured via auditing &nbsp;i.e audevent &nbsp;is there any way i can track it ???&nbsp;</P> Wed, 08 May 2013 12:42:45 GMT https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6058197#M484075 coollllllllllll 2013-05-08T12:42:45Z https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6059851#M484085 <P>&gt;I have observed that "rm" is not getting captured</P><P>&nbsp;</P><P>rm is an unlink(2).</P> Wed, 08 May 2013 20:03:03 GMT https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6059851#M484085 Dennis Handly 2013-05-08T20:03:03Z https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6061727#M484094 <P>Hi Dennis ,</P><P>&nbsp;</P><P>Can i have auditing enabled only for some specific commands&nbsp; and for some specific users ONLY like ,</P><P>&nbsp;</P><P>rm</P><P>rm -rf</P><P>someone flushing&nbsp; a file</P><P>someone renaming a file</P><P>someone copying a file</P> Thu, 09 May 2013 10:03:00 GMT https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6061727#M484094 coollllllllllll 2013-05-09T10:03:00Z https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6061873#M484095 <P>&gt;Can I have auditing enabled only for some specific commands?</P><P>&nbsp;</P><P>Only if you log execution of that command.&nbsp; I.e. open that executable.</P><P>Or there is a system call that the command does.</P><P>I assume if you have auditing turned on, you can filter for specific users.</P><P>&nbsp;</P><P>&gt;someone renaming a file</P><P>&nbsp;</P><P>This is a rename.</P><P>&nbsp;</P><P>&gt;someone copying a file</P><P>&nbsp;</P><P>This is some opening that file.</P> Tue, 14 May 2013 05:55:46 GMT https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6061873#M484095 Dennis Handly 2013-05-14T05:55:46Z https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6066729#M484225 <P>Hi Dennis ,</P><P>&nbsp;</P><P>I didnt get it.</P><P>&nbsp;</P><P>Only if you log execution of that command, open that executable.</P><P>Or there is a system that the command does.</P> Tue, 14 May 2013 05:38:00 GMT https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6066729#M484225 coollllllllllll 2013-05-14T05:38:00Z https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6066741#M484226 <P>&gt;I didn't get it.</P><P>&nbsp;</P><P>I've updated the post and fixed a few missing words.</P> Tue, 14 May 2013 05:56:39 GMT https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6066741#M484226 Dennis Handly 2013-05-14T05:56:39Z https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6137347#M484776 <P>Hi Matti ,</P><P>&nbsp;</P><P>Can you please help me here with your inputs.</P> Wed, 17 Jul 2013 08:01:12 GMT https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6137347#M484776 chindi 2013-07-17T08:01:12Z https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6137375#M484782 <P>&gt;Can you please help me here with your inputs?</P><P>&nbsp;</P><P>What's your question?</P> Wed, 17 Jul 2013 08:30:30 GMT https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6137375#M484782 Dennis Handly 2013-07-17T08:30:30Z https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6137527#M484784 <P><SPAN>Can i have auditing enabled only for &nbsp;some specific users ONLY</SPAN></P><P><SPAN>Able to rotate those log files say after one day ?</SPAN></P> Wed, 17 Jul 2013 11:04:19 GMT https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6137527#M484784 chindi 2013-07-17T11:04:19Z https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6137765#M484788 <P><SPAN>&gt; Can i have auditing enabled only for &nbsp;some specific users ONLY</SPAN></P><P>&nbsp;</P><P>Yes. Please see "man audusr" on your system.</P><P>&nbsp;</P><P><SPAN>&gt; Able to rotate those log files say after one day ?</SPAN></P><P><SPAN><BR />You should write a script that first uses "audsys -c some_new_file" to switch the audit log to a new file, then your script can do whatever you want with the old audit log file.<BR /></SPAN></P> Wed, 17 Jul 2013 13:55:47 GMT https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6137765#M484788 Matti_Kurkela 2013-07-17T13:55:47Z https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6139005#M484803 <P>Hi Matti ,</P><P>&nbsp;</P><P>Am trying the below steps ;</P><P>&nbsp;</P><P>&nbsp;</P><P>audsys -f</P><P>audusr -D</P><P>will disable auditing for all users, and then:</P><P>audusr -a root -a oracle</P><P>will add it back for those users.</P><P>&nbsp;</P><P>then&nbsp;audsys -n -c /mydir/audlog20MB -s 20480</P><P>which is creating 20MB file with lots of junk , not able to understand anything.</P><P>&nbsp;</P><P>We are using&nbsp;audisp /mydir/audlog20MB &nbsp;to analyse this logs , but no success .</P><P>&nbsp;</P><P>Can you help us to trace any file removal , flush activity being carried out for a particualr user say oracle .</P> Thu, 18 Jul 2013 12:05:53 GMT https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6139005#M484803 chindi 2013-07-18T12:05:53Z https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6139069#M484805 <P>Yes, the audlog20MB will be a binary logfile that can only be read using a tool like audisp.</P><P>&nbsp;</P><P>If you are logging only root and oracle users, then:</P><PRE>audisp -e delete -u oracle /mydir/audlog20MB</PRE><P>&nbsp;should display all file removals done by user "oracle".</P><P>&nbsp;</P><P>Flushing a file is a little bit more tricky, since it is essentially just opening a file for writing, with the O_TRUNC option.</P><P>So you would have to run something like:</P><PRE>audisp -e open -u oracle /mydir/audlog20MB</PRE><P>&nbsp;and then use grep or similar to find only the interesting events from the output.</P><P>&nbsp;</P><P>Unfortunately I don't have an example of 11.23 audisp output available to me (my test server is not in Trusted mode and does not have the Standard Mode Security Extensions installed). So I cannot design a suitable filter command for you.</P><P>&nbsp;</P> Thu, 18 Jul 2013 13:26:45 GMT https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6139069#M484805 Matti_Kurkela 2013-07-18T13:26:45Z https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6139929#M484810 <P>Hi Matti ,</P><P>&nbsp;</P><P>I need to keep a record of all suspicios activities carried out in my box.</P><P>All commands ran by a user in his/her shell</P><P>We are using history variable in /etc/profile .</P><P>But as Dennis said we cannot alter history settings .</P><P>Do we have any other alternate solution to this auditing problem.</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 19 Jul 2013 05:23:38 GMT https://community.hpe.com/t5/operating-system-hp-ux/system-call-to-flush-or-null-a-file/m-p/6139929#M484810 chindi 2013-07-19T05:23:38Z