- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: System call to flush or null a file
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-08-2013 01:20 AM
тАО05-08-2013 01:20 AM
System call to flush or null a file
Hi ,
What is the system call from unix end to flush or nullify a file.
am thinking of starting auditing of my hpux boxxes 11.23 , wherein some major system calls to be monitored for some users.
like root oracle , application user.
what should i use "audevent -P -s ????" here to catch hold of someone trying to flush a file or flushed a file .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-08-2013 02:54 AM
тАО05-08-2013 02:54 AM
Re: System call to flush or null a file
To catch trying to reset the EOF of a file, you need to look for open with O_TRUNC.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-08-2013 05:42 AM
тАО05-08-2013 05:42 AM
Re: System call to flush or null a file
Hi Dennis ,
Thanks
Also i have observed that "rm " is not getting captured via auditing i.e audevent is there any way i can track it ???
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-08-2013 01:03 PM
тАО05-08-2013 01:03 PM
Re: System call to flush or null a file
>I have observed that "rm" is not getting captured
rm is an unlink(2).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-09-2013 03:03 AM
тАО05-09-2013 03:03 AM
Re: System call to flush or null a file
Hi Dennis ,
Can i have auditing enabled only for some specific commands and for some specific users ONLY like ,
rm
rm -rf
someone flushing a file
someone renaming a file
someone copying a file
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-09-2013 04:18 AM - edited тАО05-13-2013 10:55 PM
тАО05-09-2013 04:18 AM - edited тАО05-13-2013 10:55 PM
Re: System call to flush or null a file
>Can I have auditing enabled only for some specific commands?
Only if you log execution of that command. I.e. open that executable.
Or there is a system call that the command does.
I assume if you have auditing turned on, you can filter for specific users.
>someone renaming a file
This is a rename.
>someone copying a file
This is some opening that file.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-13-2013 10:38 PM
тАО05-13-2013 10:38 PM
Re: System call to flush or null a file
Hi Dennis ,
I didnt get it.
Only if you log execution of that command, open that executable.
Or there is a system that the command does.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-13-2013 10:56 PM
тАО05-13-2013 10:56 PM
Re: System call to flush or null a file
>I didn't get it.
I've updated the post and fixed a few missing words.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-17-2013 01:01 AM
тАО07-17-2013 01:01 AM
Re: System call to flush or null a file
Hi Matti ,
Can you please help me here with your inputs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-17-2013 01:30 AM
тАО07-17-2013 01:30 AM
Re: System call to flush or null a file
>Can you please help me here with your inputs?
What's your question?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-17-2013 04:04 AM - edited тАО07-17-2013 04:04 AM
тАО07-17-2013 04:04 AM - edited тАО07-17-2013 04:04 AM
Re: System call to flush or null a file
Can i have auditing enabled only for some specific users ONLY
Able to rotate those log files say after one day ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-17-2013 06:55 AM
тАО07-17-2013 06:55 AM
Re: System call to flush or null a file
> Can i have auditing enabled only for some specific users ONLY
Yes. Please see "man audusr" on your system.
> Able to rotate those log files say after one day ?
You should write a script that first uses "audsys -c some_new_file" to switch the audit log to a new file, then your script can do whatever you want with the old audit log file.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-18-2013 05:05 AM
тАО07-18-2013 05:05 AM
Re: System call to flush or null a file
Hi Matti ,
Am trying the below steps ;
audsys -f
audusr -D
will disable auditing for all users, and then:
audusr -a root -a oracle
will add it back for those users.
then audsys -n -c /mydir/audlog20MB -s 20480
which is creating 20MB file with lots of junk , not able to understand anything.
We are using audisp /mydir/audlog20MB to analyse this logs , but no success .
Can you help us to trace any file removal , flush activity being carried out for a particualr user say oracle .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-18-2013 06:26 AM
тАО07-18-2013 06:26 AM
Re: System call to flush or null a file
Yes, the audlog20MB will be a binary logfile that can only be read using a tool like audisp.
If you are logging only root and oracle users, then:
audisp -e delete -u oracle /mydir/audlog20MB
should display all file removals done by user "oracle".
Flushing a file is a little bit more tricky, since it is essentially just opening a file for writing, with the O_TRUNC option.
So you would have to run something like:
audisp -e open -u oracle /mydir/audlog20MB
and then use grep or similar to find only the interesting events from the output.
Unfortunately I don't have an example of 11.23 audisp output available to me (my test server is not in Trusted mode and does not have the Standard Mode Security Extensions installed). So I cannot design a suitable filter command for you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-18-2013 10:23 PM
тАО07-18-2013 10:23 PM
Re: System call to flush or null a file
Hi Matti ,
I need to keep a record of all suspicios activities carried out in my box.
All commands ran by a user in his/her shell
We are using history variable in /etc/profile .
But as Dennis said we cannot alter history settings .
Do we have any other alternate solution to this auditing problem.