Re: BSM Audit Troubleshooting help
From: Anupam (frj780jdy85533001@sneakemail.com)Date: 02/11/02
- Previous message: Anupam: "BSM Audit Troubleshooting help"
- Maybe in reply to: Anupam: "BSM Audit Troubleshooting help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Anupam" <frj780jdy85533001@sneakemail.com> To: <focus-sun@securityfocus.com> Date: Mon, 11 Feb 2002 08:44:53 -0500
For the time being I have rectified the problem based on Darren Moffat's
suggested piece of code:
#!/bin/sh
for i in `ls /proc`
do
auditconfig -setpmask $i lo,ad,ex,fw,fm,fc,fd
done
When I ran "auditconfig -getpinfo 0" it came back with:
audit id = unknown(-2)
process preselection mask = no(0x0,0x0)
terminal id (maj,min,host) = 0,0,unknown(0.0.0.0)
audit session id = 0
After running the auditconfig -setpmask code, it returns:
audit id = unknown(-2)
process preselection mask = ex,ad,fd,fc,fm,fw(0x4000083a,0x4000083a)
terminal id (maj,min,host) = 0,0,unknown(::)
audit session id = 0
Questions (more out of curiosity now):
- Any hypothesis why the audit daemon suddenly stopped writing?
- What kind of events would cause the existing processes to loose their
preselection masks?
My observations:
- Based on the time stamps on the audit_control, audit_user files were
modified appropriately before bsmconv was enabled.
- Space is not an issue on the /var partition.
Thanks,
- Anupam
- Previous message: Anupam: "BSM Audit Troubleshooting help"
- Maybe in reply to: Anupam: "BSM Audit Troubleshooting help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
