HPE Community
Operating System - HP-UX
1767188 Members
6783 Online
108959 Solutions
New Discussion

System call to flush or null a file

 
chindi
Respected Contributor

‎07-17-2013 04:04 AM - edited ‎07-17-2013 04:04 AM

‎07-17-2013 04:04 AM - edited ‎07-17-2013 04:04 AM

Re: System call to flush or null a file

Can i have auditing enabled only for  some specific users ONLY

Able to rotate those log files say after one day ?

0 Kudos
Matti_Kurkela
Honored Contributor

‎07-17-2013 06:55 AM

‎07-17-2013 06:55 AM

Re: System call to flush or null a file

> Can i have auditing enabled only for  some specific users ONLY

 

Yes. Please see "man audusr" on your system.

 

> Able to rotate those log files say after one day ?


You should write a script that first uses "audsys -c some_new_file" to switch the audit log to a new file, then your script can do whatever you want with the old audit log file.

MK
chindi
Respected Contributor

‎07-18-2013 05:05 AM

‎07-18-2013 05:05 AM

Re: System call to flush or null a file

Hi Matti ,

 

Am trying the below steps ;

 

 

audsys -f

audusr -D

will disable auditing for all users, and then:

audusr -a root -a oracle

will add it back for those users.

 

then audsys -n -c /mydir/audlog20MB -s 20480

which is creating 20MB file with lots of junk , not able to understand anything.

 

We are using audisp /mydir/audlog20MB  to analyse this logs , but no success .

 

Can you help us to trace any file removal , flush activity being carried out for a particualr user say oracle .

0 Kudos
Matti_Kurkela
Honored Contributor

‎07-18-2013 06:26 AM

‎07-18-2013 06:26 AM

Re: System call to flush or null a file

Yes, the audlog20MB will be a binary logfile that can only be read using a tool like audisp.

 

If you are logging only root and oracle users, then:

audisp -e delete -u oracle /mydir/audlog20MB

 should display all file removals done by user "oracle".

 

Flushing a file is a little bit more tricky, since it is essentially just opening a file for writing, with the O_TRUNC option.

So you would have to run something like:

audisp -e open -u oracle /mydir/audlog20MB

 and then use grep or similar to find only the interesting events from the output.

 

Unfortunately I don't have an example of 11.23 audisp output available to me (my test server is not in Trusted mode and does not have the Standard Mode Security Extensions installed). So I cannot design a suitable filter command for you.

 

MK
chindi
Respected Contributor

‎07-18-2013 10:23 PM

‎07-18-2013 10:23 PM

Re: System call to flush or null a file

Hi Matti ,

 

I need to keep a record of all suspicios activities carried out in my box.

All commands ran by a user in his/her shell

We are using history variable in /etc/profile .

But as Dennis said we cannot alter history settings .

Do we have any other alternate solution to this auditing problem.

 

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.