Re: BSM Audit Troubleshooting help

From: Anupam (frj780jdy85533001@sneakemail.com)
Date: 02/11/02


From: "Anupam" <frj780jdy85533001@sneakemail.com>
To: <focus-sun@securityfocus.com>
Date: Mon, 11 Feb 2002 08:44:53 -0500

For the time being I have rectified the problem based on Darren Moffat's
suggested piece of code:
#!/bin/sh
for i in `ls /proc`
do
    auditconfig -setpmask $i lo,ad,ex,fw,fm,fc,fd
done

When I ran "auditconfig -getpinfo 0" it came back with:
audit id = unknown(-2)
process preselection mask = no(0x0,0x0)
terminal id (maj,min,host) = 0,0,unknown(0.0.0.0)
audit session id = 0

After running the auditconfig -setpmask code, it returns:
audit id = unknown(-2)
process preselection mask = ex,ad,fd,fc,fm,fw(0x4000083a,0x4000083a)
terminal id (maj,min,host) = 0,0,unknown(::)
audit session id = 0

Questions (more out of curiosity now):
- Any hypothesis why the audit daemon suddenly stopped writing?
- What kind of events would cause the existing processes to loose their
preselection masks?

My observations:
- Based on the time stamps on the audit_control, audit_user files were
modified appropriately before bsmconv was enabled.
- Space is not an issue on the /var partition.

Thanks,

- Anupam