HPE Community
Operating System - HP-UX
1820614 Members
1860 Online
109626 Solutions
New Discussion юеВ

Re: System call to flush or null a file

 
coollllllllllll
Regular Advisor

тАО05-08-2013 01:20 AM

тАО05-08-2013 01:20 AM

System call to flush or null a file

Hi ,

 

What is the system call from unix end to flush or nullify a file.

am thinking of starting auditing of my hpux boxxes 11.23 ,  wherein some major system calls to be monitored for some users.

like root oracle , application user.

 

what should i use "audevent -P -s ????"  here to catch hold of someone trying to flush a file  or flushed a file .

0 Kudos
Reply
14 REPLIES 14
Dennis Handly
Acclaimed Contributor

тАО05-08-2013 02:54 AM

тАО05-08-2013 02:54 AM

Re: System call to flush or null a file

To catch trying to reset the EOF of a file, you need to look for open with O_TRUNC.

Reply
coollllllllllll
Regular Advisor

тАО05-08-2013 05:42 AM

тАО05-08-2013 05:42 AM

Re: System call to flush or null a file

Hi Dennis ,

 

Thanks

Also i have observed that "rm " is not getting captured via auditing  i.e audevent  is there any way i can track it ??? 

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО05-08-2013 01:03 PM

тАО05-08-2013 01:03 PM

Re: System call to flush or null a file

>I have observed that "rm" is not getting captured

 

rm is an unlink(2).

Reply
coollllllllllll
Regular Advisor

тАО05-09-2013 03:03 AM

тАО05-09-2013 03:03 AM

Re: System call to flush or null a file

Hi Dennis ,

 

Can i have auditing enabled only for some specific commands  and for some specific users ONLY like ,

 

rm

rm -rf

someone flushing  a file

someone renaming a file

someone copying a file

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО05-09-2013 04:18 AM - edited тАО05-13-2013 10:55 PM

тАО05-09-2013 04:18 AM - edited тАО05-13-2013 10:55 PM

Re: System call to flush or null a file

>Can I have auditing enabled only for some specific commands?

 

Only if you log execution of that command.  I.e. open that executable.

Or there is a system call that the command does.

I assume if you have auditing turned on, you can filter for specific users.

 

>someone renaming a file

 

This is a rename.

 

>someone copying a file

 

This is some opening that file.

Reply
coollllllllllll
Regular Advisor

тАО05-13-2013 10:38 PM

тАО05-13-2013 10:38 PM

Re: System call to flush or null a file

Hi Dennis ,

 

I didnt get it.

 

Only if you log execution of that command, open that executable.

Or there is a system that the command does.

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО05-13-2013 10:56 PM

тАО05-13-2013 10:56 PM

Re: System call to flush or null a file

>I didn't get it.

 

I've updated the post and fixed a few missing words.

Reply
chindi
Respected Contributor

тАО07-17-2013 01:01 AM

тАО07-17-2013 01:01 AM

Re: System call to flush or null a file

Hi Matti ,

 

Can you please help me here with your inputs.

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО07-17-2013 01:30 AM

тАО07-17-2013 01:30 AM

Re: System call to flush or null a file

>Can you please help me here with your inputs?

 

What's your question?

0 Kudos
Reply
chindi
Respected Contributor

тАО07-17-2013 04:04 AM - edited тАО07-17-2013 04:04 AM

тАО07-17-2013 04:04 AM - edited тАО07-17-2013 04:04 AM

Re: System call to flush or null a file

Can i have auditing enabled only for  some specific users ONLY

Able to rotate those log files say after one day ?

0 Kudos
Reply
Matti_Kurkela
Honored Contributor

тАО07-17-2013 06:55 AM

тАО07-17-2013 06:55 AM

Re: System call to flush or null a file

> Can i have auditing enabled only for  some specific users ONLY

 

Yes. Please see "man audusr" on your system.

 

> Able to rotate those log files say after one day ?


You should write a script that first uses "audsys -c some_new_file" to switch the audit log to a new file, then your script can do whatever you want with the old audit log file.

MK
Reply
chindi
Respected Contributor

тАО07-18-2013 05:05 AM

тАО07-18-2013 05:05 AM

Re: System call to flush or null a file

Hi Matti ,

 

Am trying the below steps ;

 

 

audsys -f

audusr -D

will disable auditing for all users, and then:

audusr -a root -a oracle

will add it back for those users.

 

then audsys -n -c /mydir/audlog20MB -s 20480

which is creating 20MB file with lots of junk , not able to understand anything.

 

We are using audisp /mydir/audlog20MB  to analyse this logs , but no success .

 

Can you help us to trace any file removal , flush activity being carried out for a particualr user say oracle .

0 Kudos
Reply
Matti_Kurkela
Honored Contributor

тАО07-18-2013 06:26 AM

тАО07-18-2013 06:26 AM

Re: System call to flush or null a file

Yes, the audlog20MB will be a binary logfile that can only be read using a tool like audisp.

 

If you are logging only root and oracle users, then:

audisp -e delete -u oracle /mydir/audlog20MB

 should display all file removals done by user "oracle".

 

Flushing a file is a little bit more tricky, since it is essentially just opening a file for writing, with the O_TRUNC option.

So you would have to run something like:

audisp -e open -u oracle /mydir/audlog20MB

 and then use grep or similar to find only the interesting events from the output.

 

Unfortunately I don't have an example of 11.23 audisp output available to me (my test server is not in Trusted mode and does not have the Standard Mode Security Extensions installed). So I cannot design a suitable filter command for you.

 

MK
Reply
chindi
Respected Contributor

тАО07-18-2013 10:23 PM

тАО07-18-2013 10:23 PM

Re: System call to flush or null a file

Hi Matti ,

 

I need to keep a record of all suspicios activities carried out in my box.

All commands ran by a user in his/her shell

We are using history variable in /etc/profile .

But as Dennis said we cannot alter history settings .

Do we have any other alternate solution to this auditing problem.

 

 

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.