Re: audisp: bad audit record body.

jerry1 · ‎04-22-2004

I have setup trusted host and auditing as:
/usr/lbin/tsconvert -c
/usr/lbin/modprpw -V
/usr/bin/audevent -E
/usr/bin/audsys -n -c audnames -s 20000

I am getting the follwing error with audisp.
Anyone know why?

# audisp -e open /.secure/etc/audnames

audisp -e open /.secure/etc/audnames
All users are selected.
Selected the following events:
open
5120
All ttys are selected.
Selecting successful & failed events.
TIME PID E EVENT PPID AID RUID RGID EUID EGID TTY
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

audisp: bad audit record body.

Joseph Loo · ‎04-22-2004

Hi,

Your problem points to a patch needed.

. PHKL_28445 - HP-UX 11.00 audit subsystem cumulative patch
. PHKL_28446 - HP-UX 11.11 audit subsystem cumulative patch

symptoms:
audisp(1M) aborts with error message "bad audit record body" on certain audit trails.

regards.

what you do not see does not mean you should not believe

jerry1 · ‎04-23-2004

Thanks for the info Joseph.

I also found out that you must run
trusted host also. Unless someone has
figured out how to run auditing without
trusted host turned on.

tsconvert -c

Darren Prior · ‎04-23-2004

Hi Jerry,

You're right - you must have a trusted system to run auditing. The audit id is stored within /tcb which is not present on a non-trusted system.

regards,

Darren.

Calm down. It's only ones and zeros...

jerry1 · ‎04-26-2004

Well, nobody caught it.
I was using the wrong file, audnames, which
is a data file used by auditing.

I was also able to get auditing to work
without having to run the system in
trusted system mode and still use NIS.

ypcat passwd > /etc/passwd
tsconvert -c
modprpw -V
cpio files in /tcb to a temporary directory.
tsconvert -r
Take out nis passwd info from /etc/passwd and add +.
mkdir /tcb and cpio files from temporary
directory.
mkdir -p /.secure/etc

audsys -n -c /.secure/etc/audit1 -s 1000
audisp /.secure/etc/audit1

Works. And I can still rlogin in as root, etc...

If you add a new UNIX account you would
have to edit the /tcb files as needed though
unless you script something.

I will have to look into making the systems
real trusted systems with NIS+ but just don't
have the time right now and it would break
to many things.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: audisp: bad audit record body.

audisp: bad audit record body.