| Title: | DIGITAL UNIX�(FORMERLY KNOWN AS DEC OSF/1) |
| Notice: | Welcome to the Digital UNIX Conference |
| Moderator: | SMURF::DENHAM |
| Created: | Thu Mar 16 1995 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 10068 |
| Total number of notes: | 35879 |
Our critical customer recently experienced a strange problem on Digital Unix 4.0B. It has been occurred two times. He is running SyBase 11 on Digital Unix 4.0B. He reported that one day all files under /bin disappeared. And some data files under the sybase directory becomes zero size. The he restored the file system to recover. It has been occured two times. We have checked 8630 that SyBase may experience file corruption on DUnix 4.0x. But we are not sure whether this will result in the customer's symptom. We have suggested the customer to set vm: new-wire-method=0. But in order to investigate the case more closely, we want to see whether C2 auditing can help to track what object is trying to remove the /bin files or destroying the link. Is it possible to track the events using C2 audit? How? - feynman [Posted by WWW Notes gateway]
| T.R | Title | User | Personal Name | Date | Lines |
|---|---|---|---|---|---|
| 9103.1 | SMURF::SCOTT | Tue Mar 11 1997 11:12 | 16 | ||
Regular files get removed via unlink(2). Auditing just unlink will identify the guilty party by the euid and ruid. To pick up the command name, audit also the exec calls and fork. Auditing fork is actually needed only to pick up the command name in the case of a process forking a child (no exec) to perform the unlink. In the Steel release, the command name can optionally be recorded with each event, so it will then be sufficient to audit only the unlink. The Security manual will describe the steps necessary to set up audit and how to read the auditlogs. Hope this helps. larry | |||||