Cleaning up an Audit File Marked not_terminated

Occasionally, if an audit daemon dies while its audit file is still open, or a server becomes inaccessible and forces the workstation to switch to a new server, an audit file remains in which the end-time in the file name remains the string not_terminated, even though the file is no longer used for audit records.

The auditreduce(1M) command processes files marked not_terminated, but because such files may contain incomplete records at the end, future processing may generate errors. To avoid errors, clean the incomplete file with the -O option of auditreduce. This creates a new file containing all the records that were in the old one, but with a proper file name time stamp. This operation loses the previous file pointer that's kept at the beginning of each audit file.

To Clean Up a not_terminated Audit File

1. As role admin, at label admin_high check the /etc/security/audit_data file to determine the current process number of the audit daemon.

   If that process is still running, and if the file name in audit_data(4) is the same as the file in question, do not clean the file.

2. Issue the command auditreduce with the -O (capital o) option.

3. Provide the workstation name as the argument to -O, and the incomplete file name. To delete the original record, use the -D option.

   $ auditreduce -O workstation 19970413120429.not_terminated.workstation

   This creates a new audit file with the correct name, cleans up pointers to other files, and copies all the records to the new file. The end-time is the time when the command was executed; the correct suffix is workstation, explicitly specified.

4. If you did not use the -D option, verify that the new file contains the original file's records, then delete the original file.

   $ ls -l 19970413120429*.workstation $ rm 19970413120429.not_terminated*