System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

System call to flush or null a file

coollllllllllll
Regular Advisor

System call to flush or null a file

Hi ,

 

What is the system call from unix end to flush or nullify a file.

am thinking of starting auditing of my hpux boxxes 11.23 ,  wherein some major system calls to be monitored for some users.

like root oracle , application user.

 

what should i use "audevent -P -s ????"  here to catch hold of someone trying to flush a file  or flushed a file .

14 REPLIES
Dennis Handly
Acclaimed Contributor

Re: System call to flush or null a file

To catch trying to reset the EOF of a file, you need to look for open with O_TRUNC.

coollllllllllll
Regular Advisor

Re: System call to flush or null a file

Hi Dennis ,

 

Thanks

Also i have observed that "rm " is not getting captured via auditing  i.e audevent  is there any way i can track it ??? 

Dennis Handly
Acclaimed Contributor

Re: System call to flush or null a file

>I have observed that "rm" is not getting captured

 

rm is an unlink(2).

coollllllllllll
Regular Advisor

Re: System call to flush or null a file

Hi Dennis ,

 

Can i have auditing enabled only for some specific commands  and for some specific users ONLY like ,

 

rm

rm -rf

someone flushing  a file

someone renaming a file

someone copying a file

Dennis Handly
Acclaimed Contributor

Re: System call to flush or null a file

>Can I have auditing enabled only for some specific commands?

 

Only if you log execution of that command.  I.e. open that executable.

Or there is a system call that the command does.

I assume if you have auditing turned on, you can filter for specific users.

 

>someone renaming a file

 

This is a rename.

 

>someone copying a file

 

This is some opening that file.

coollllllllllll
Regular Advisor

Re: System call to flush or null a file

Hi Dennis ,

 

I didnt get it.

 

Only if you log execution of that command, open that executable.

Or there is a system that the command does.

Dennis Handly
Acclaimed Contributor

Re: System call to flush or null a file

>I didn't get it.

 

I've updated the post and fixed a few missing words.

chindi
Respected Contributor

Re: System call to flush or null a file

Hi Matti ,

 

Can you please help me here with your inputs.

Dennis Handly
Acclaimed Contributor

Re: System call to flush or null a file

>Can you please help me here with your inputs?

 

What's your question?

chindi
Respected Contributor

Re: System call to flush or null a file

Can i have auditing enabled only for  some specific users ONLY

Able to rotate those log files say after one day ?

Matti_Kurkela
Honored Contributor

Re: System call to flush or null a file

> Can i have auditing enabled only for  some specific users ONLY

 

Yes. Please see "man audusr" on your system.

 

> Able to rotate those log files say after one day ?


You should write a script that first uses "audsys -c some_new_file" to switch the audit log to a new file, then your script can do whatever you want with the old audit log file.

MK
chindi
Respected Contributor

Re: System call to flush or null a file

Hi Matti ,

 

Am trying the below steps ;

 

 

audsys -f

audusr -D

will disable auditing for all users, and then:

audusr -a root -a oracle

will add it back for those users.

 

then audsys -n -c /mydir/audlog20MB -s 20480

which is creating 20MB file with lots of junk , not able to understand anything.

 

We are using audisp /mydir/audlog20MB  to analyse this logs , but no success .

 

Can you help us to trace any file removal , flush activity being carried out for a particualr user say oracle .

Matti_Kurkela
Honored Contributor

Re: System call to flush or null a file

Yes, the audlog20MB will be a binary logfile that can only be read using a tool like audisp.

 

If you are logging only root and oracle users, then:

audisp -e delete -u oracle /mydir/audlog20MB

 should display all file removals done by user "oracle".

 

Flushing a file is a little bit more tricky, since it is essentially just opening a file for writing, with the O_TRUNC option.

So you would have to run something like:

audisp -e open -u oracle /mydir/audlog20MB

 and then use grep or similar to find only the interesting events from the output.

 

Unfortunately I don't have an example of 11.23 audisp output available to me (my test server is not in Trusted mode and does not have the Standard Mode Security Extensions installed). So I cannot design a suitable filter command for you.

 

MK
chindi
Respected Contributor

Re: System call to flush or null a file

Hi Matti ,

 

I need to keep a record of all suspicios activities carried out in my box.

All commands ran by a user in his/her shell

We are using history variable in /etc/profile .

But as Dennis said we cannot alter history settings .

Do we have any other alternate solution to this auditing problem.