topic Re: Auditing broken? in Operating System - HP-UX

Auditing broken?

Jacques Larouche — Fri, 26 Oct 2001 14:56:10 GMT

Because of a problem with lost files, I activated the Events Auditing on one of our server, especially for the "delete" event type. The result is totally wrong gives me such output:
fbsql011:/.secure/etc# sam &
[1] 16478
fbsql011:/.secure/etc# audisp -e delete audfile1
All users are selected.
Selected the following events:
delete
2048
All ttys are selected.
Selecting successful & failed events.
TIME PID E EVENT PPID AID RUID RGID EUID EGID TTY

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
011026 11:17:33 14785 S 137 12764 16 0 3 0 3 ttyp2
[ Event=rmdir; User=ouellemi; Real Grp=sys; Eff.Grp=sys; ]

RETURN_VALUE 1 = 0;
PARAM #1 (file path) = 0 (cnode);
0x40000008 (dev);
3824 (inode);
(path) = /var/sam/core
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The User mentionned is a valid user, but wasn't logged on the system at that time. ttyp2 is my own tty and i'm not 'ouellemi'!
Deleting myself a file doesn't update that event log.

Strange...

Re: Auditing broken?

James Beamish-White — Tue, 30 Oct 2001 16:23:35 GMT

Are you sure that that user doesn't have a cronjob running to clean up core files?

And have you checked that your uid is not that same as that user?

Finally, you should check that root isn't automatically excluded from auditing...

Cheers,
James

Re: Auditing broken?

Jacques Larouche — Tue, 30 Oct 2001 21:35:44 GMT

Yes James, i've checked all that!

Re: Auditing broken?

harry d brown jr — Wed, 31 Oct 2001 03:24:37 GMT

What groups does the user ouellemi belong to? What is their UID? Do they have AT jobs running? Are there any scripts that they have ownership of that are being executed by cron? Or maybe they have a setuid bit set on a script under their name?

You could also have corrupt tmp files. What does "last" show for that user?

live free or die
harry

Re: Auditing broken?

Jacques Larouche — Wed, 31 Oct 2001 17:14:07 GMT

I checked the wtmp file with the "last" command and as I tought, that user never logged on. And he had nothing running under cron or at too. I decided to get rid of that account, so I got him off the passwd file. Now the same audit result shows me root as the uid, instead of ouellemi. I know that that doesn't explain too much, but at least it works better now (until that user asks me for an account one day!)

Jacques

Re: Auditing broken?

harry d brown jr — Wed, 31 Oct 2001 17:35:11 GMT

What was their UID and GID?

I'm thinking maybe you have corrupt wtmp, utmp, or btmp files. Which one, I have no clue, but I'm sure someone can tell us. Look into the wtmpfix command. It just might have screwed up records.

live free or die
harry

Re: Auditing broken?

Jacques Larouche — Wed, 31 Oct 2001 17:49:52 GMT

There's nothing special I can in his userid...

# id ouellemi
uid=334(ouellemi) gid=126(cdb_dba) groups=20(users),25(sybase),30(cdb_dev),37(dl_admin),40(trfas400),124(cdb_dev2),127(cdb_sqr),128(cdb_ext),140(das),170(db_batch),29(oper)

... and there was nothing special made after running wtmpfix.