HPE Community
Operating System - HP-UX
1752780 Members
6339 Online
108789 Solutions
New Discussion юеВ

clean_hids_logs.ksh

 
SOLVED
Go to solution
John Ivy
Frequent Advisor

тАО01-14-2009 01:08 PM

тАО01-14-2009 01:08 PM

clean_hids_logs.ksh

Can any one tell me what htis script is used for (clean_hids_logs.ksh). It is in my crontab file on my rx3600.
0 Kudos
8 REPLIES 8
TTr
Honored Contributor

тАО01-14-2009 02:23 PM

тАО01-14-2009 02:23 PM

Re: clean_hids_logs.ksh

It looks like a home made script and based on its name it is used to clean up the logs of the HIDS (Host Based Intrusion Detection) so that they don't get very large and fill up your disk. You can look in it and see what it does, it probably saves the main log into a copy and deletes older copies of the log etc. Even if you are not shell script expert you may be able to read through it and see what it does.
0 Kudos
John Ivy
Frequent Advisor

тАО01-15-2009 03:25 AM

тАО01-15-2009 03:25 AM

Re: clean_hids_logs.ksh

here is the whole file.
#!/usr/bin/ksh

/sbin/init.d/auditing stop
> /.secure/etc/audfile1
> /.secure/etc/audfile2
/sbin/init.d/auditing start
I am by no means an expert on script, to me it looks like it stops auditing and appends /.secure/etc/audfile1 to /.secure/etc/audfile2 and then starts auditing again. Is there a reason why I would need this script? It is on one of my backup servers and not on the production. It causeses a lot of auditing email messages that I have to clean up.
0 Kudos
Matti_Kurkela
Honored Contributor

тАО01-15-2009 03:49 AM

тАО01-15-2009 03:49 AM

Re: clean_hids_logs.ksh

As there are no backslashes at the end of any line, each line is a separate command.

The two commands of the form "> filename" will _overwrite_ the file on the right side of the ">" sign with whatever is output by the left side, i.e. nothing at all. In other words, the commands will truncate both files to zero length.

To append something to the end of file, you would need ">>".

MK
MK
0 Kudos
TTr
Honored Contributor

тАО01-15-2009 04:01 AM

тАО01-15-2009 04:01 AM

Re: clean_hids_logs.ksh

The audfile1 and audfile are standard log file names that are used by the system accounting software. As Matti said the two files are "zeroed" out. I don't see the purpose of this since when you run system auditing, you normally save these two files at a third location BEFORE you zero them out. These files are auditing records and for investigating issues in the server.

Based on this and your other posting it appears that you have a highly regulated and highly scrutinized server.
0 Kudos
John Ivy
Frequent Advisor

тАО01-15-2009 04:08 AM

тАО01-15-2009 04:08 AM

Re: clean_hids_logs.ksh

so if I get this right the program stops auditing and over writes /.secure/etc/audfile1 to zero bytes and /.secure/etc/audfile2 to zero bytes and starts auditing again, is that correct? Why would I need to do that every 15 minites as below?
00,15,30,45 * * * * /usr/local/bin/clean_hids_logs.ksh

0 Kudos
TTr
Honored Contributor

тАО01-15-2009 05:01 AM

тАО01-15-2009 05:01 AM

Solution

Re: clean_hids_logs.ksh

You are correct in what the script does. The reason it is done every 15 minutes, is becasue those logs can get large very quickly and since it looks like they are located under the root filesystem they can fill up your root volume very quickly.
As I said it does not make sense to zero out these logs without first making copies of them for later use. Maybe there was a security requirement to turn on "system accounting" and this is how thet dealt with the logs filling up root. This is NOT how system accounting is run. Either turn it off, or if you have to keep it running,
1. you need to find another area to place the logfiles. Their location is set in /etc/rc.config.d/auditing
2. Even when you find an area with lots of space, these files will eventually fill it up. So you would still need to copy them off your server onto tape, DVD etc, and then zero them out like you do know. This zeroing out should be done less frequently maybe on a daily basis and not every 15 minutes so that you have a pair of auditing files for each day.
0 Kudos
John Ivy
Frequent Advisor

тАО01-15-2009 05:07 AM

тАО01-15-2009 05:07 AM

Re: clean_hids_logs.ksh

Thanks you, this was very helpful
0 Kudos
John Ivy
Frequent Advisor

тАО01-15-2009 05:08 AM

тАО01-15-2009 05:08 AM

Re: clean_hids_logs.ksh

Thanks to everyone
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.