To Clean Up a not_terminated Audit File

1. As role admin, at label admin_high check the /etc/security/audit_data file to determine the current process number of the audit daemon.

   If that process is still running, and if the file name in audit_data(4) is the same as the file in question, do not clean the file.

2. Issue the command auditreduce with the -O (capital o) option.

3. Provide the workstation name as the argument to -O, and the incomplete file name. To delete the original record, use the -D option.

   $ auditreduce -O workstation 19970413120429.not_terminated.workstation

   This creates a new audit file with the correct name, cleans up pointers to other files, and copies all the records to the new file. The end-time is the time when the command was executed; the correct suffix is workstation, explicitly specified.

4. If you did not use the -D option, verify that the new file contains the original file's records, then delete the original file.

   $ ls -l 19970413120429*.workstation $ rm 19970413120429.not_terminated*