cancel
Showing results for 
Search instead for 
Did you mean: 

clean_hids_logs.ksh

SOLVED
Go to solution
John Ivy
Frequent Advisor

clean_hids_logs.ksh

Can any one tell me what htis script is used for (clean_hids_logs.ksh). It is in my crontab file on my rx3600.
8 REPLIES
TTr
Honored Contributor

Re: clean_hids_logs.ksh

It looks like a home made script and based on its name it is used to clean up the logs of the HIDS (Host Based Intrusion Detection) so that they don't get very large and fill up your disk. You can look in it and see what it does, it probably saves the main log into a copy and deletes older copies of the log etc. Even if you are not shell script expert you may be able to read through it and see what it does.
John Ivy
Frequent Advisor

Re: clean_hids_logs.ksh

here is the whole file.
#!/usr/bin/ksh

/sbin/init.d/auditing stop
> /.secure/etc/audfile1
> /.secure/etc/audfile2
/sbin/init.d/auditing start
I am by no means an expert on script, to me it looks like it stops auditing and appends /.secure/etc/audfile1 to /.secure/etc/audfile2 and then starts auditing again. Is there a reason why I would need this script? It is on one of my backup servers and not on the production. It causeses a lot of auditing email messages that I have to clean up.
Matti_Kurkela
Honored Contributor

Re: clean_hids_logs.ksh

As there are no backslashes at the end of any line, each line is a separate command.

The two commands of the form "> filename" will _overwrite_ the file on the right side of the ">" sign with whatever is output by the left side, i.e. nothing at all. In other words, the commands will truncate both files to zero length.

To append something to the end of file, you would need ">>".

MK
MK
TTr
Honored Contributor

Re: clean_hids_logs.ksh

The audfile1 and audfile are standard log file names that are used by the system accounting software. As Matti said the two files are "zeroed" out. I don't see the purpose of this since when you run system auditing, you normally save these two files at a third location BEFORE you zero them out. These files are auditing records and for investigating issues in the server.

Based on this and your other posting it appears that you have a highly regulated and highly scrutinized server.
John Ivy
Frequent Advisor

Re: clean_hids_logs.ksh

so if I get this right the program stops auditing and over writes /.secure/etc/audfile1 to zero bytes and /.secure/etc/audfile2 to zero bytes and starts auditing again, is that correct? Why would I need to do that every 15 minites as below?
00,15,30,45 * * * * /usr/local/bin/clean_hids_logs.ksh

TTr
Honored Contributor
Solution

Re: clean_hids_logs.ksh

You are correct in what the script does. The reason it is done every 15 minutes, is becasue those logs can get large very quickly and since it looks like they are located under the root filesystem they can fill up your root volume very quickly.
As I said it does not make sense to zero out these logs without first making copies of them for later use. Maybe there was a security requirement to turn on "system accounting" and this is how thet dealt with the logs filling up root. This is NOT how system accounting is run. Either turn it off, or if you have to keep it running,
1. you need to find another area to place the logfiles. Their location is set in /etc/rc.config.d/auditing
2. Even when you find an area with lots of space, these files will eventually fill it up. So you would still need to copy them off your server onto tape, DVD etc, and then zero them out like you do know. This zeroing out should be done less frequently maybe on a daily basis and not every 15 minutes so that you have a pair of auditing files for each day.
John Ivy
Frequent Advisor

Re: clean_hids_logs.ksh

Thanks you, this was very helpful
John Ivy
Frequent Advisor

Re: clean_hids_logs.ksh

Thanks to everyone