Ignite-UX

Re: audfile2 keeps increasing in size filling up /var/.audit

 
vz7r1x
Regular Advisor

audfile2 keeps increasing in size filling up /var/.audit

audswap looks like this:
#!/usr/bin/ksh

AUD_DIR=/var/.audit
AUD_TMP=$AUD_DIR/audit.`date +'%b%d%y_%H%M'`

[[ -s $AUD_DIR/audfile1 ]]&&(audsys -c $AUD_DIR/audfile2 -s 500000; mv $AUD_DIR/audfile1 $AUD_TMP)||(audsys -c $AUD_DIR/audfil
e1 -s 500000; mv $AUD_DIR/audfile2 $AUD_TMP)

###export CURAUDFILE=`ls $AUD_DIR/audfile?`
#echo $CURAUDFILE
###export CURAUDNUMBER=${CURAUDFILE##$AUD_DIR/audfile}
#echo $CURAUDNUMBER

###if [[ $CURAUDNUMBER = 1 ]] then
###audsys -c $AUD_DIR/audfile2 -s 500000
###mv $AUD_DIR/audfile1 $AUD_TMP
###fi

###if [[ $CURAUDNUMBER = 2 ]] then
###audsys -c $AUD_DIR/audfile1 -s 500000
###mv $AUD_DIR/audfile2 $AUD_TMP
###fi

/usr/contrib/bin/gzip -9 $AUD_TMP
chmod 400 ${AUD_TMP}.gz
-------------------------------

audomon is running but audfile2 keeps increasing in size is up to 2777434396 in size (68% full now).
It will keep going until it fit fills up the whole partition.

anyone has any idea what could be causing it?

Many thanks for quick response.
4 REPLIES 4
Steven E. Protter
Exalted Contributor

Re: audfile2 keeps increasing in size filling up /var/.audit

Shalom,

We wrote a script to copy it and clear it out once in a while.

cp
>

You can also configure to rotate between two logfiles so your script won't be going against an open audit file.

http://www.techsolutions.hp.com/en/B2355-90121/ch03s02.html

Prior Thread:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=805145
http://newfdawg.com/SecBook-TOC.htm

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
vz7r1x
Regular Advisor

Re: audfile2 keeps increasing in size filling up /var/.audit

Thanks Steve for the reply but it did not help. My audswap script is doing the same as you suggested, only diff is that it is moving audit file instead of copy.

/etc/rc.config.d/auditing has some parameters
which force the switch of audit file as given below but it does not seem to work in my case today.

AUDITING=1
PRI_AUDFILE=/var/.audit/audfile1
PRI_SWITCH=50000
SEC_AUDFILE=
SEC_SWITCH=
....
....
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDEVENT_ARGS4=""
AUDOMON_ARGS=" -p 20 -t 1 -w 90"

Any thoughts?
vz7r1x
Regular Advisor

Re: audfile2 keeps increasing in size filling up /var/.audit

I accidently created this thread in Ignite-UX. Can it be moved to Unix Admin section?
vz7r1x
Regular Advisor

Re: audfile2 keeps increasing in size filling up /var/.audit

Thread is in the wrong place so closing the thread. Thanks