HPE Community
Operating System - HP-UX
1820603 Members
1770 Online
109626 Solutions
New Discussion юеВ

Re: Trusted system and auditing

 
SOLVED
Go to solution
Srinivas_3
Occasional Advisor

тАО10-10-2002 09:59 PM

тАО10-10-2002 09:59 PM

Trusted system and auditing

System config HPUX 11.0, L -Class
When we try to audisp the audit file, it does not show any events and show error
" cannot back-reference pid ident "
we tried stoping and starting /sbin/init.d/auditing

Audit log file shows 150MB of size but with audisp, it just shows the above error and no contents inside.
0 Kudos
Reply
2 REPLIES 2
Dietmar Konermann
Honored Contributor

тАО10-11-2002 12:42 AM

тАО10-11-2002 12:42 AM

Solution

Re: Trusted system and auditing

Hi!

Looks like your audit file contains no pid identification records (PIR). So the events contained in the file cannot be assoiciated to a process.

audit(4) man page:

The records in the audit file are compressed to save file space. When a process is audited the first time, a pid identification record (PIR) is written into the audit file containing information that remains constant throughout the lifetime of the process. This includes the parent's process ID, audit ID, real user ID, real group ID, effective user ID, effective group ID, and the terminal ID (tty). The PIR is entered only once per process per audit file.

---

If you perform an audit file switch using audsys(1M) then the active PIR's should be written to the beginning of the new file. Maybe your file was corrupted, e.g. by copying it while it was active or similar?

Regards...
Dietmar.
"Logic is the beginning of wisdom; not the end." -- Spock (Star Trek VI: The Undiscovered Country)
Reply
Srinivas_3
Occasional Advisor

тАО10-15-2002 07:37 PM

тАО10-15-2002 07:37 PM

Re: Trusted system and auditing

Your answer looks relevant, I have re-created the files and kept the system under observation.

Actually my system has Informix running on it. The audit log shows event type 'kill', 37 as event number and owner informix. This message in the audit log repeats for every 1sec. So this fills out the audit log very badly.

Any idea, what the event means?

HPUX 11.0
Informix 9.21
L Class
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.