auditing writes to all files in the /etc directory.

Hi.  I'm trying to audit writes to all files in the /etc directory and I want to check that my config file file is set up to ONLY audit writes to all files in the /etc directory.  Please check my config file to make sure.  
Please see the attached config.txt file.

Below is the script I'm running to do this:
## Shuts down auditing ##
/usr/sbin/audit shutdown
sleep 5
fuser -k /audit/stream.out
cp /dev/null /etc/security/audit/objects
## Saves audit log to a file named with the current day (days overwritten with new data weekly) ##
mv /audit/stream.out /audit/audit`date +%m%a`.log
## Puts every file in the specified directories into the objects file to be audited ##
find /etc -type f | awk '{printf("%s:\n\tw = FILE_Write\n\n",$1)}' > /etc/security/audit/objects
## Starts auditing ##
/usr/sbin/audit start
config.txt
murkytunaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

murkytunaAuthor Commented:
My config file (users abbreviated at the end):

start:
        binmode = off
        streammode = on

bin:
        trail = /audit/trail
        bin1 = /audit/bin1
        bin2 = /audit/bin2
        binsize = 10240
        cmds = /etc/security/audit/bincmds
        freespace = 65536

stream:
        cmds = /etc/security/audit/streamcmds

classes:
        general = USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename,FS_Chdir,FS_Chroot,PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir
        objects = S_ENVIRON_WRITE,S_GROUP_WRITE,S_LIMITS_WRITE,S_LOGIN_WRITE,S_PASSWD_READ,S_PASSWD_WRITE,S_USER_WRITE,AUD_CONFIG_WR
        SRC = SRC_Start,SRC_Stop,SRC_Addssys,SRC_Chssys,SRC_Delssys,SRC_Addserver,SRC_Chserver,SRC_Delserver
        kernel = PROC_Create,PROC_Delete,PROC_Execute,PROC_RealUID,PROC_AuditID,PROC_RealGID,PROC_Environ,PROC_SetSignal,PROC_Limits,PRO
C_SetPri,PROC_Setpri,PROC_Privilege,PROC_Settimer
        files = FILE_Open,FILE_Read,FILE_Write,FILE_Close,FILE_Link,FILE_Unlink,FILE_Rename,FILE_Owner,FILE_Mode,FILE_Acl,FILE_Privilege
,DEV_Create
        svipc = MSG_Create,MSG_Read,MSG_Write,MSG_Delete,MSG_Owner,MSG_Mode,SEM_Create,SEM_Op,SEM_Delete,SEM_Owner,SEM_Mode,SHM_Create,S
HM_Open,SHM_Close,SHM_Owner,SHM_Mode
        mail = SENDMAIL_Config,SENDMAIL_ToFile
        cron = AT_JobAdd,AT_JobRemove,CRON_JobAdd,CRON_JobRemove,CRON_Start,CRON_Finish
        tcpip = TCPIP_config,TCPIP_host_id,TCPIP_route,TCPIP_connect,TCPIP_data_out,TCPIP_data_in,TCPIP_access,TCPIP_set_time,TCPIP_kcon
fig,TCPIP_kroute,TCPIP_kconnect,TCPIP_kdata_out,TCPIP_kdata_in,TCPIP_kcreate
        ipsec = IPSEC_chtun,IPSEC_export,IPSEC_gentun,IPSEC_imptun,IPSEC_lstun,IPSEC_mktun,IPSEC_rmtun,IPSEC_chfilt,IPSEC_expfilt,IPSEC_
genfilt,IPSEC_trcbuf,IPSEC_impfilt,IPSEC_lsfilt,IPSEC_mkfilt,IPSEC_mvfilt,IPSEC_rmfilt,IPSEC_unload,IPSEC_stat,IKE_tnl_creat,IKE_tnl_del
et,IPSEC_p1_nego,IPSEC_p2_nego,IKE_activat_cmd,IKE_remove_cmd
        lvm = LVM_AddLV,LVM_KDeleteLV,LVM_ExtendLV,LVM_ReduceLV,LVM_KChangeLV,LVM_AvoidLV,LVM_MissingPV,LVM_AddPV,LVM_AddMissPV,LVM_Dele
tePV,LVM_RemovePV,LVM_AddVGSA,LVM_DeleteVGSA,LVM_SetupVG,LVM_DefineVG,LVM_KDeleteVG,LVM_ChgQuorum,LVM_Chg1016,LVM_UnlockDisk,LVM_LockDis
k,LVM_ChangeLV,LVM_ChangeVG,LVM_CreateLV,LVM_CreateVG,LVM_DeleteVG,LVM_DeleteLV,LVM_VaryoffVG,LVM_VaryonVG
        ldapserver = LDAP_Bind,LDAP_Unbind,LDAP_Add,LDAP_Delete,LDAP_Modify,LDAP_Modifydn,LDAP_Search,LDAP_Compare
        aacct=AACCT_On,AACCT_Off,AACCT_AddFile,AACCT_ResetFile,AACCT_RmFile,AACCT_SwtchFile,AACCT_TridOn,AACCT_TridOff,AACCT_SysIntOff,A
ACCT_SysIntSet,AACCT_PrIntOff,AACCT_PrIntSet,AACCT_SwtchProj,AACCT_AddProj,AACCT_RmProj,AACCT_PolLoad,AACCT_PolUnload,AACCT_NotChange,AA
CCT_NotifyOff

users:
        root = general,files
user1
user2
user3
user4
0
woolmilkporcCommented:
Hi again,
your script will only extract files under /etc to create the objects entries, and is thus correct.
It uses "find /etc -type f ...", which means "find all files (-type f) under /etc and its subdirectories".
Furthermore, you delete your objects file beforehand (you do it even twice, by copying /dev/null to it and by using ">" in the find/awk statement), so that there cannot be any remnants of previous configurations.
Which classes are your users associated to? If it's "files" not only writes will be audited, as can be seen in the classes definition you posted.
wmp
 
 
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
murkytunaAuthor Commented:
Where do I check which classes are your user's associated to?  Do you mean the last part of the config file where it says:
root = general,files
?

The users below root = general,files just have the user names listed.  
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

murkytunaAuthor Commented:
looking at the stream.out file it does look like more than writes are being audited:

FILE_Close      root     OK          Tue Apr 13 05:06:58 2010 auditpr
FILE_Read       root     OK          Tue Apr 13 05:06:58 2010 ksh
FILE_Read       root     OK          Tue Apr 13 05:06:58 2010 ksh
FILE_Write      root     OK          Tue Apr 13 05:06:58 2010 ksh
FILE_Write      root     OK          Tue Apr 13 05:06:58 2010 auditstream
FILE_Read       root     OK          Tue Apr 13 05:06:58 2010 _proapsv
FILE_Write      root     OK          Tue Apr 13 05:06:58 2010 _proapsv
FILE_Read       root     OK          Tue Apr 13 05:06:58 2010 _proapsv
FILE_Write      root     OK          Tue Apr 13 05:06:58 2010 _proapsv
FILE_Read       root     OK          Tue Apr 13 05:06:58 2010 _proapsv
FILE_Write      root     OK          Tue Apr 13 05:06:58 2010 _proapsv
FILE_Read       root     OK          Tue Apr 13 05:06:58 2010 _proapsv
FILE_Write      root     OK          Tue Apr 13 05:06:58 2010 _proapsv
FILE_Read       root     OK          Tue Apr 13 05:06:58 2010 _proapsv
FILE_Write      root     OK          Tue Apr 13 05:06:58 2010 _proapsv
FILE_Read       root     OK          Tue Apr 13 05:06:58 2010 ksh
FILE_Read       root     OK          Tue Apr 13 05:06:59 2010 _proapsv
FILE_Write      root     OK          Tue Apr 13 05:06:59 2010 _proapsv
FILE_Open       root     OK          Tue Apr 13 05:06:59 2010 _mprosrv
FILE_Read       root     OK          Tue Apr 13 05:06:59 2010 _mprosrv
FILE_Close      root     OK          Tue Apr 13 05:06:59 2010 _mprosrv
FILE_Open       root     OK          Tue Apr 13 05:06:59 2010 _mprosrv
FILE_Read       root     OK          Tue Apr 13 05:06:59 2010 _mprosrv
FILE_Close      root     OK          Tue Apr 13 05:06:59 2010 _mprosrv
FILE_Open       root     OK          Tue Apr 13 05:06:59 2010 _mprshut
FILE_Read       root     OK          Tue Apr 13 05:06:59 2010 _mprshut
FILE_Close      root     OK          Tue Apr 13 05:06:59 2010 _mprshut
FILE_Open       user1   OK          Tue Apr 13 05:07:00 2010 _mprosrv
FILE_Read       user1   OK          Tue Apr 13 05:07:00 2010 _mprosrv
FILE_Close      user1  OK          Tue Apr 13 05:07:00 2010 _mprosrv
FILE_Write      root     OK          Tue Apr 13 05:07:01 2010 ksh
0
woolmilkporcCommented:
That's because your "files" class does contain all kinds of file operations.
To actually audit "file write" operations only you should do two things -
1) define a new class for file writes in /etc/security/audit/config
     filew =
FILE_Write  
2) change all your user entries to just associate the new class to them
 lsuser -a ALL | while read USER
  do
    chuser auditclasses=filew $USER
 done
If you want "root" to be kept in the "general" and "files" classes, issue additionally
chuser auditclasses=general,files root
0
murkytunaAuthor Commented:
OK, I changed the config file to have this as the first entry under classes:

classes:
        filew = FILE_Write

I got this error when I ran the below commands: "3004-692 Error changing "auditclasses" to "filew" : Value is invalid.":

lsuser -a ALL | while read USER
 do
   chuser auditclasses=filew $USER
done


Edited objects file is below:

classes:
        filew = FILE_Write
        general = USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename,FS_Chdir,FS_Chroot,PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir
        objects = S_ENVIRON_WRITE,S_GROUP_WRITE,S_LIMITS_WRITE,S_LOGIN_WRITE,S_PASSWD_READ,S_PASSWD_WRITE,S_USER_WRITE,AUD_CONFIG_WR
        SRC = SRC_Start,SRC_Stop,SRC_Addssys,SRC_Chssys,SRC_Delssys,SRC_Addserver,SRC_Chserver,SRC_Delserver
        kernel = PROC_Create,PROC_Delete,PROC_Execute,PROC_RealUID,PROC_AuditID,PROC_RealGID,PROC_Environ,PROC_SetSignal,PROC_Limits,PRO
C_SetPri,PROC_Setpri,PROC_Privilege,PROC_Settimer
        files = FILE_Open,FILE_Read,FILE_Write,FILE_Close,FILE_Link,FILE_Unlink,FILE_Rename,FILE_Owner,FILE_Mode,FILE_Acl,FILE_Privilege
,DEV_Create
        svipc = MSG_Create,MSG_Read,MSG_Write,MSG_Delete,MSG_Owner,MSG_Mode,SEM_Create,SEM_Op,SEM_Delete,SEM_Owner,SEM_Mode,SHM_Create,S
HM_Open,SHM_Close,SHM_Owner,SHM_Mode
        mail = SENDMAIL_Config,SENDMAIL_ToFile
        cron = AT_JobAdd,AT_JobRemove,CRON_JobAdd,CRON_JobRemove,CRON_Start,CRON_Finish
        tcpip = TCPIP_config,TCPIP_host_id,TCPIP_route,TCPIP_connect,TCPIP_data_out,TCPIP_data_in,TCPIP_access,TCPIP_set_time,TCPIP_kcon
fig,TCPIP_kroute,TCPIP_kconnect,TCPIP_kdata_out,TCPIP_kdata_in,TCPIP_kcreate
        ipsec = IPSEC_chtun,IPSEC_export,IPSEC_gentun,IPSEC_imptun,IPSEC_lstun,IPSEC_mktun,IPSEC_rmtun,IPSEC_chfilt,IPSEC_expfilt,IPSEC_
genfilt,IPSEC_trcbuf,IPSEC_impfilt,IPSEC_lsfilt,IPSEC_mkfilt,IPSEC_mvfilt,IPSEC_rmfilt,IPSEC_unload,IPSEC_stat,IKE_tnl_creat,IKE_tnl_del
et,IPSEC_p1_nego,IPSEC_p2_nego,IKE_activat_cmd,IKE_remove_cmd
        lvm = LVM_AddLV,LVM_KDeleteLV,LVM_ExtendLV,LVM_ReduceLV,LVM_KChangeLV,LVM_AvoidLV,LVM_MissingPV,LVM_AddPV,LVM_AddMissPV,LVM_Dele
tePV,LVM_RemovePV,LVM_AddVGSA,LVM_DeleteVGSA,LVM_SetupVG,LVM_DefineVG,LVM_KDeleteVG,LVM_ChgQuorum,LVM_Chg1016,LVM_UnlockDisk,LVM_LockDis
k,LVM_ChangeLV,LVM_ChangeVG,LVM_CreateLV,LVM_CreateVG,LVM_DeleteVG,LVM_DeleteLV,LVM_VaryoffVG,LVM_VaryonVG
        ldapserver = LDAP_Bind,LDAP_Unbind,LDAP_Add,LDAP_Delete,LDAP_Modify,LDAP_Modifydn,LDAP_Search,LDAP_Compare
        aacct=AACCT_On,AACCT_Off,AACCT_AddFile,AACCT_ResetFile,AACCT_RmFile,AACCT_SwtchFile,AACCT_TridOn,AACCT_TridOff,AACCT_SysIntOff,A
ACCT_SysIntSet,AACCT_PrIntOff,AACCT_PrIntSet,AACCT_SwtchProj,AACCT_AddProj,AACCT_RmProj,AACCT_PolLoad,AACCT_PolUnload,AACCT_NotChange,AA
CCT_NotifyOff

users:
root
user1
user2
0
woolmilkporcCommented:
>>  "3004-692 Error changing "auditclasses" to "filew" : Value is invalid.": <<
This error can only occur when you try to use a class not contained in the config file, or for a user who doesn't exist locally (in case of NIM or LDAP being used, for example). This message is normally preceeded by "3004-703 Check "/etc/security/audit/config" file."
Please check the spelling carefully. With the file you posted the "chuser" stuff must work, at least for local users (i.e. contained in /etc/passwd). So the config file should contain these users now.
You wrote "objects" file. The file you posted is "config", which is the correct place for the posted entries. The "objects" file is the result of your find/awk procedure above and is quite another thing!

0
murkytunaAuthor Commented:
Thanks, yes, I meant the config file, not the objects file.  That seemed to edit the config file properly and the correct users are in there.  Its got a lot of entries like user1 = filew in there now under users at the bottom.

However, when I reran auditing, it looks like more than writes are being audited based on the stream.out file:

event           login    status      time                     command
--------------- -------- ----------- ------------------------ -------------------------------
FILE_Read       root     OK          Tue Apr 13 06:03:47 2010 ksh
FILE_Write      root     OK          Tue Apr 13 06:03:47 2010 ksh
FILE_Open       root     OK          Tue Apr 13 06:03:47 2010 sh
FILE_Close      root     OK          Tue Apr 13 06:03:47 2010 sh
FILE_Close      root     OK          Tue Apr 13 06:03:47 2010 sh
FILE_Close      root     OK          Tue Apr 13 06:03:47 2010 auditpr
FILE_Open       root     OK          Tue Apr 13 06:03:47 2010 _mprshut
FILE_Read       root     OK          Tue Apr 13 06:03:47 2010 _mprshut
FILE_Close      root     OK          Tue Apr 13 06:03:47 2010 _mprshut
FILE_Open       root     OK          Tue Apr 13 06:03:47 2010 _mprosrv
FILE_Read       root     OK          Tue Apr 13 06:03:47 2010 _mprosrv
FILE_Close      root     OK          Tue Apr 13 06:03:47 2010 _mprosrv
FILE_Open       root     OK          Tue Apr 13 06:03:48 2010 _mprosrv
FILE_Read       root     OK          Tue Apr 13 06:03:48 2010 _mprosrv
FILE_Close      root     OK          Tue Apr 13 06:03:48 2010 _mprosrv
FILE_Open       root     OK          Tue Apr 13 06:03:49 2010 db2fmcd
FILE_Open       root     OK          Tue Apr 13 06:03:49 2010 db2fmcd
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 db2fmcd
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 db2fmcd
FILE_Open       root     OK          Tue Apr 13 06:03:49 2010 db2fmcd
FILE_Read       root     OK          Tue Apr 13 06:03:49 2010 db2fmcd
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 db2fmcd
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 db2fmcd
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 db2fmcd
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 db2fmcd
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 db2fmcd
FILE_Open       root     OK          Tue Apr 13 06:03:49 2010 sh
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 sh
FILE_Open       root     OK          Tue Apr 13 06:03:49 2010 sh
FILE_Read       root     OK          Tue Apr 13 06:03:49 2010 sh
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 sh
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 sh
FILE_Open       root     OK          Tue Apr 13 06:03:49 2010 sh
FILE_Read       root     OK          Tue Apr 13 06:03:49 2010 sh
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 sh
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 sh
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 sh
FILE_Open       root     OK          Tue Apr 13 06:03:49 2010 db2fm
FILE_Read       root     OK          Tue Apr 13 06:03:49 2010 db2fm
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 db2fm
0
murkytunaAuthor Commented:
this is the entry for root:

users:
        root = filew

The users below it all say something like

user = filew as well.
0
woolmilkporcCommented:
Strange. I tested your setup on my AIX sandbox, and all works fine. Only File_Write is recorded.
Did you remember to issue "audit shutdown", not just "audit stop" to have the kernel re-read the config during the following "audit start"?
 
0
murkytunaAuthor Commented:
The script I ran to start it runs audit shutdown first:

## Shuts down auditing ##
/usr/sbin/audit shutdown
0
murkytunaAuthor Commented:
current config file:

start:
        binmode = off
        streammode = on

bin:
        trail = /audit/trail
        bin1 = /audit/bin1
        bin2 = /audit/bin2
        binsize = 10240
        cmds = /etc/security/audit/bincmds
        freespace = 65536

stream:
        cmds = /etc/security/audit/streamcmds

classes:
        filew = FILE_Write
        general = USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename,FS_Chdir,FS_Chroot,PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir
        objects = S_ENVIRON_WRITE,S_GROUP_WRITE,S_LIMITS_WRITE,S_LOGIN_WRITE,S_PASSWD_READ,S_PASSWD_WRITE,S_USER_WRITE,AUD_CONFIG_WR
        SRC = SRC_Start,SRC_Stop,SRC_Addssys,SRC_Chssys,SRC_Delssys,SRC_Addserver,SRC_Chserver,SRC_Delserver
        kernel = PROC_Create,PROC_Delete,PROC_Execute,PROC_RealUID,PROC_AuditID,PROC_RealGID,PROC_Environ,PROC_SetSignal,PROC_Limits,PRO
C_SetPri,PROC_Setpri,PROC_Privilege,PROC_Settimer
        files = FILE_Open,FILE_Read,FILE_Write,FILE_Close,FILE_Link,FILE_Unlink,FILE_Rename,FILE_Owner,FILE_Mode,FILE_Acl,FILE_Privilege
,DEV_Create
        svipc = MSG_Create,MSG_Read,MSG_Write,MSG_Delete,MSG_Owner,MSG_Mode,SEM_Create,SEM_Op,SEM_Delete,SEM_Owner,SEM_Mode,SHM_Create,S
HM_Open,SHM_Close,SHM_Owner,SHM_Mode
        mail = SENDMAIL_Config,SENDMAIL_ToFile
        cron = AT_JobAdd,AT_JobRemove,CRON_JobAdd,CRON_JobRemove,CRON_Start,CRON_Finish
        tcpip = TCPIP_config,TCPIP_host_id,TCPIP_route,TCPIP_connect,TCPIP_data_out,TCPIP_data_in,TCPIP_access,TCPIP_set_time,TCPIP_kcon
fig,TCPIP_kroute,TCPIP_kconnect,TCPIP_kdata_out,TCPIP_kdata_in,TCPIP_kcreate
        ipsec = IPSEC_chtun,IPSEC_export,IPSEC_gentun,IPSEC_imptun,IPSEC_lstun,IPSEC_mktun,IPSEC_rmtun,IPSEC_chfilt,IPSEC_expfilt,IPSEC_
genfilt,IPSEC_trcbuf,IPSEC_impfilt,IPSEC_lsfilt,IPSEC_mkfilt,IPSEC_mvfilt,IPSEC_rmfilt,IPSEC_unload,IPSEC_stat,IKE_tnl_creat,IKE_tnl_del
et,IPSEC_p1_nego,IPSEC_p2_nego,IKE_activat_cmd,IKE_remove_cmd
        lvm = LVM_AddLV,LVM_KDeleteLV,LVM_ExtendLV,LVM_ReduceLV,LVM_KChangeLV,LVM_AvoidLV,LVM_MissingPV,LVM_AddPV,LVM_AddMissPV,LVM_Dele
tePV,LVM_RemovePV,LVM_AddVGSA,LVM_DeleteVGSA,LVM_SetupVG,LVM_DefineVG,LVM_KDeleteVG,LVM_ChgQuorum,LVM_Chg1016,LVM_UnlockDisk,LVM_LockDis
k,LVM_ChangeLV,LVM_ChangeVG,LVM_CreateLV,LVM_CreateVG,LVM_DeleteVG,LVM_DeleteLV,LVM_VaryoffVG,LVM_VaryonVG
        ldapserver = LDAP_Bind,LDAP_Unbind,LDAP_Add,LDAP_Delete,LDAP_Modify,LDAP_Modifydn,LDAP_Search,LDAP_Compare
        aacct=AACCT_On,AACCT_Off,AACCT_AddFile,AACCT_ResetFile,AACCT_RmFile,AACCT_SwtchFile,AACCT_TridOn,AACCT_TridOff,AACCT_SysIntOff,A
ACCT_SysIntSet,AACCT_PrIntOff,AACCT_PrIntSet,AACCT_SwtchProj,AACCT_AddProj,AACCT_RmProj,AACCT_PolLoad,AACCT_PolUnload,AACCT_NotChange,AA
CCT_NotifyOff

users:

users:
        root = filew
        daemon = filew
        bin = filew
        sys = filew
        adm = filew
        uucp = filew
        nobody = filew
        lpd = filew
        nuucp = filew
        supman = filew
0
murkytunaAuthor Commented:
Maybe when I vi the stream.out file its showing stuff more than whats being actually written to the audit log?

when I vi the stream.out file this is what I get:

event           login    status      time                     command
--------------- -------- ----------- ------------------------ -------------------------------
FILE_Read       root     OK          Tue Apr 13 06:03:47 2010 ksh
FILE_Write      root     OK          Tue Apr 13 06:03:47 2010 ksh
FILE_Open       root     OK          Tue Apr 13 06:03:47 2010 sh
FILE_Close      root     OK          Tue Apr 13 06:03:47 2010 sh
FILE_Close      root     OK          Tue Apr 13 06:03:47 2010 sh
FILE_Close      root     OK          Tue Apr 13 06:03:47 2010 auditpr
FILE_Open       root     OK          Tue Apr 13 06:03:47 2010 _mprshut
FILE_Read       root     OK          Tue Apr 13 06:03:47 2010 _mprshut
FILE_Close      root     OK          Tue Apr 13 06:03:47 2010 _mprshut
FILE_Open       root     OK          Tue Apr 13 06:03:47 2010 _mprosrv
FILE_Read       root     OK          Tue Apr 13 06:03:47 2010 _mprosrv
FILE_Close      root     OK          Tue Apr 13 06:03:47 2010 _mprosrv
FILE_Open       root     OK          Tue Apr 13 06:03:48 2010 _mprosrv
FILE_Read       root     OK          Tue Apr 13 06:03:48 2010 _mprosrv
FILE_Close      root     OK          Tue Apr 13 06:03:48 2010 _mprosrv
FILE_Open       root     OK          Tue Apr 13 06:03:49 2010 db2fmcd
FILE_Open       root     OK          Tue Apr 13 06:03:49 2010 db2fmcd
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 db2fmcd
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 db2fmcd
FILE_Open       root     OK          Tue Apr 13 06:03:49 2010 db2fmcd
FILE_Read       root     OK          Tue Apr 13 06:03:49 2010 db2fmcd
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 db2fmcd
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 db2fmcd
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 db2fmcd
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 db2fmcd
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 db2fmcd
FILE_Open       root     OK          Tue Apr 13 06:03:49 2010 sh
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 sh
FILE_Open       root     OK          Tue Apr 13 06:03:49 2010 sh
FILE_Read       root     OK          Tue Apr 13 06:03:49 2010 sh
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 sh
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 sh
FILE_Open       root     OK          Tue Apr 13 06:03:49 2010 sh
FILE_Read       root     OK          Tue Apr 13 06:03:49 2010 sh
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 sh
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 sh
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 sh
FILE_Open       root     OK          Tue Apr 13 06:03:49 2010 db2fm
FILE_Read       root     OK          Tue Apr 13 06:03:49 2010 db2fm
FILE_Close      root     OK          Tue Apr 13 06:03:49 2010 db2fm
0
woolmilkporcCommented:
Are you looking at the right stream.out file?
You posted the same data as more than an hour ago. I can't imagine that nothing should have happened (or that you didn't test anything) since then.
Moreover, "audit start" overwrites the stream.out file (to be exact - the command configured in streamcmds does it), so you should no longer see these old data (at least not in the original file).
Remember your other case today? Did you change the stream.out location?
wmp
 
0
murkytunaAuthor Commented:
Thanks much.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.