cancel
Showing results for 
Search instead for 
Did you mean: 

bad audit flag

 
Highlighted
Occasional Contributor

bad audit flag

I recently had a problem where a user would attempt to log on and would get rejected with a message of 'bad audit flag'.

The system is trusted, but auditing isn't turned on. I got around this problem by copying the TCB file of another user over the problem user and after adjusting the user name and id parameters, this fixed the problem.

I did notice that the problem user seemed to be missing a couple of lines from their TCB files. These lines being:
:u_auditid#516: :u_auditflag#1:
Does anyone know what causes this problem in the first instance?

This space intentionally left blank.
1 REPLY 1
Highlighted
Valued Contributor

Re: bad audit flag

Hi Ben, I am not sure why the fields were missing. But you mentioned you just copied the shadow password file from another user to the problem user password file. Please take note of the auditid needs to be change.

The auditid's value should be the line number in the /etc/passwd file for the
user.

If this is a new user added via SAM. You might consider installing latest SAM patches.


According to ITRC knowledge database document id :
KBRC00004823
bad audit flag on trusted system

.....
RESOLUTION

Most likely this is a problem with the shadow file for this user. Please try
the following:

look at the shadow password file for the user and you should find that they are
missing some entries.

# cd /tcb/files/auth/
# vi users password file.
eg..
for user kmb
kmb:u_name=kmb:u_id#129: :u_pwd=2fPagvzbeTjuA: :u_auditid#39:
:u_auditflag#1: :u_pswduser=kmb:u_suclog#936124810:u_lock@:chkent

Notice the auditflag has a value of 1
The auditid's value should be the line number in the /etc/passwd file for the
user.

If the auditid or the auditflag lines are the problem then add
the :u_auditid#
and u_auditflag#1 to the users shadow password file.