HPE Community
Operating System - HP-UX
1825010 Members
3420 Online
109678 Solutions
New Discussion юеВ

Re: Auditing broken?

 
SOLVED
Go to solution
Jacques Larouche
Occasional Contributor

тАО10-26-2001 07:56 AM

тАО10-26-2001 07:56 AM

Auditing broken?

Because of a problem with lost files, I activated the Events Auditing on one of our server, especially for the "delete" event type. The result is totally wrong gives me such output:
fbsql011:/.secure/etc# sam &
[1] 16478
fbsql011:/.secure/etc# audisp -e delete audfile1
All users are selected.
Selected the following events:
delete
2048
All ttys are selected.
Selecting successful & failed events.
TIME PID E EVENT PPID AID RUID RGID EUID EGID TTY

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
011026 11:17:33 14785 S 137 12764 16 0 3 0 3 ttyp2
[ Event=rmdir; User=ouellemi; Real Grp=sys; Eff.Grp=sys; ]

RETURN_VALUE 1 = 0;
PARAM #1 (file path) = 0 (cnode);
0x40000008 (dev);
3824 (inode);
(path) = /var/sam/core
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The User mentionned is a valid user, but wasn't logged on the system at that time. ttyp2 is my own tty and i'm not 'ouellemi'!
Deleting myself a file doesn't update that event log.

Strange...
0 Kudos
Reply
6 REPLIES 6
James Beamish-White
Trusted Contributor

тАО10-30-2001 08:23 AM

тАО10-30-2001 08:23 AM

Re: Auditing broken?

Are you sure that that user doesn't have a cronjob running to clean up core files?

And have you checked that your uid is not that same as that user?

Finally, you should check that root isn't automatically excluded from auditing...

Cheers,
James
GARDENOFEDEN> create light
0 Kudos
Reply
Jacques Larouche
Occasional Contributor

тАО10-30-2001 01:35 PM

тАО10-30-2001 01:35 PM

Re: Auditing broken?

Yes James, i've checked all that!
0 Kudos
Reply
harry d brown jr
Honored Contributor

тАО10-30-2001 07:24 PM

тАО10-30-2001 07:24 PM

Solution

Re: Auditing broken?

What groups does the user ouellemi belong to? What is their UID? Do they have AT jobs running? Are there any scripts that they have ownership of that are being executed by cron? Or maybe they have a setuid bit set on a script under their name?

You could also have corrupt tmp files. What does "last" show for that user?


live free or die
harry
Live Free or Die
Reply
Jacques Larouche
Occasional Contributor

тАО10-31-2001 09:14 AM

тАО10-31-2001 09:14 AM

Re: Auditing broken?

I checked the wtmp file with the "last" command and as I tought, that user never logged on. And he had nothing running under cron or at too. I decided to get rid of that account, so I got him off the passwd file. Now the same audit result shows me root as the uid, instead of ouellemi. I know that that doesn't explain too much, but at least it works better now (until that user asks me for an account one day!)

Jacques
0 Kudos
Reply
harry d brown jr
Honored Contributor

тАО10-31-2001 09:35 AM

тАО10-31-2001 09:35 AM

Re: Auditing broken?

What was their UID and GID?

I'm thinking maybe you have corrupt wtmp, utmp, or btmp files. Which one, I have no clue, but I'm sure someone can tell us. Look into the wtmpfix command. It just might have screwed up records.

live free or die
harry
Live Free or Die
0 Kudos
Reply
Jacques Larouche
Occasional Contributor

тАО10-31-2001 09:49 AM

тАО10-31-2001 09:49 AM

Re: Auditing broken?

There's nothing special I can in his userid...

# id ouellemi
uid=334(ouellemi) gid=126(cdb_dba) groups=20(users),25(sybase),30(cdb_dev),37(dl_admin),40(trfas400),124(cdb_dev2),127(cdb_sqr),128(cdb_ext),140(das),170(db_batch),29(oper)

... and there was nothing special made after running wtmpfix.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.