Symantec Privileged Access Management

Hi,

We have audit rule configured for some of the critical file system on Linux server.

Since we have thousands of read operation on those file system, audit log is reaching maximum limit very fast and we are unable to get important logs.

Even if we keep audit_log_size=100MB, it reaches maximum limit in 10 mins.

I would like to know if we can filter the logs or ignore the read operation so that we can get some quality Audit logs.

I see only options for audit log are : none | all | success | failure

Thanks in advance to provide some suggestion on this.

Thanks

VOLVOCARS

Hello Team,

Currently what logs are filtering? Meaning are you filtering / stopping success or failures?

Also you can enable only failure audit logs for the resources which are protected, this would as well avoid creation of successful access logs.

May be if you can share your filter, here?

Thanks,

Reatesh.

Hi Reatesh,

The actual issue is,

File permission is getting  changed automatically on some of the important files, so we want to capture this change.

Only failure does not show how the permission got changed

Since, this has happened many time ,caused database down and issue became very critical.

If we can get how the permission is getting changed so we can apply fix on this.

Thanks

VOLVOCARS

.

Hi,

Could you precise us where you defined

audit_log_size=100MB

Also, when you mention :

"audit rule configured for some of the critical file system on Linux server"

do you mean you're using an Audit tool for the file systems ?

Or do you mean the audit feature on SiteMinder where you write
the audit data in files or in database ?

Best Regards,
Patrick

Hi Patrick,

I have specified audit_log_size=100MB, seos.ini file.

We are only using SeOS audit functionality on other system involved here.

Thanks 

Hello Team,

Why would you are why are you suspecting control minder is the one which is causing the file permission change?

Are these executable program files or regular files?

Did you find any pattern or any specific activity after which the change in permissions noticed?

Since you currently have the audit mode set to ALL, can you share the audit log snippet where you are able to capture permission change?

Thanks,

Reatesh. 

Hi Reatesh,

Recently , due to file permission change we had issue where database was down.

Now, Since this has happened many times ,so management want us to put an audit on these files to see why these permissions are getting changed.

Challenge here is:

These files are many in numbers and audit for file basis wont be feasible.

The management want to cover all the critical files in many different directory.

I have put an audit on directories but since it has many operation so we are not able to get the logs on

How the permissions got changed as size gets fill immediately.

You can the below audit result , we have results in lacs but still we cant see all the results.

13 Sep 2016 09:33:36 P FILE root Chmod 59 3 /pi_files/prod/fi/vcc1256/out/41502518022014311412416920141216213402 /bin/chmod _CRONJOB_ root
13 Sep 2016 09:33:36 P FILE root Chmod 59 3 /pi_files/prod/hr/vcc857p/out/FXP_PersonnelData_20131202235738.txt.pgp /bin/chmod _CRONJOB_ root
13 Sep 2016 09:33:36 P FILE root Chmod 59 3 /pi_files/prod/sd/vcc1607/out/C_Dealer_No_315_Invoice_No_0095201188_20160823_Z050.pdf /bin/chmod _CRONJOB_ root
13 Sep 2016 09:33:36 P FILE root Chmod 59 3 /pi_files/prod/fi/vcc1299/out/SEPV03_2014-04-18_0602.TXT /bin/chmod _CRONJOB_ root
13 Sep 2016 09:33:36 P FILE root Chmod 59 3 /pi_files/prod/fi/vcc1256/out/4900133424201428966520141216213408 /bin/chmod _CRONJOB_ root
13 Sep 2016 09:33:36 P FILE root Chmod 59 3 /pi_files/prod/sd/vcc1607/out/C_Dealer_No_393_Invoice_No_0095201186_20160823_Z050.pdf /bin/chmod _CRONJOB_ root
13 Sep 2016 09:33:36 P FILE root Chmod 59 3 /pi_files/prod/hr/vcc857p/out/FXP_PersonnelData_20131203224740.txt.pgp /bin/chmod _CRONJOB_ root
13 Sep 2016 09:33:36 P FILE root Chmod 59 3 /pi_files/prod/fi/vcc1256/out/49001347562014F23357220141216213415 /bin/chmod _CRONJOB_ root
13 Sep 2016 09:33:36 P FILE root Chmod 59 3 /pi_files/prod/fi/vcc1299/out/SEPV02_2014-04-18_0602.TXT /bin/chmod _CRONJOB_ root
13 Sep 2016 09:33:36 P FILE root Chmod 59 3 /pi_files/prod/sd/vcc1607/out/C_Dealer_No_45_Invoice_No_0095201185_20160823_Z050.pdf /bin/chmod _CRONJOB_ root
13 Sep 2016 09:33:36 P FILE root Chmod 59 3 /pi_files/prod/hr/vcc857p/out/FXP_PersonnelData_20131204224630.txt.pgp /bin/chmod _CRONJOB_ root
13 Sep 2016 09:33:36 P FILE root Chmod 59 3 /pi_files/prod/fi/vcc1256/out/41502356902014201401456820141216213418 /bin/chmod _CRONJOB_ root
13 Sep 2016 09:33:36 P FILE root Chmod 59 3 /pi_files/prod/fi/vcc1299/out/SEPV01_2014-04-18_0602.TXT /bin/chmod _CRONJOB_ root

Total records displayed 352796

Hello Team,

Please open a support case and provide the case number we can work on it.

Thanks,

Reatesh.