AIX AUDIT: Resolving auditbin failed backend command bin file errors

Question & Answer

Question

How can I resolve the following error?

auditbin: ** failed backend command /etc/auditcat -p -o /audit/trail -r /audit/bin1

Cause

This error might occur when the bin files are out of sync.

Answer

1) Check the shutdown script

- Make sure the audit daemon is shut down in /etc/rc.shutdown

#!/bin/ksh
....
/usr/sbin/audit shutdown

2) Check the /audit directory
- A separate file system is recommended
- Permissions should be 755
- Check the file system space with the 'df' command.

3) Stop the auditing subsystem
# /usr/sbin/audit shutdown

Expected:
auditing reset

4) Confirm that the auditing subsystem is turned off

# /usr/sbin/audit query | grep audit
Expected:
auditing off
audit events:
audit objects:

5) Move the audit files

# mv /audit/bin1 /audit/bin1.save
# mv /audit/bin2 /audit/bin2.save
# mv /audit/trail /audit/trail.save

6) Make sure the "active" audit indicator file (auditb) was removed with the audit shutdown

# ls -l /audit/auditb

Expected:

/audit/auditb not found

7) Restart the audit subsystem

# /usr/sbin/audit start

# ls -l /audit
Expected:
-r-------- 1 root system 0 Dec 16 14:28 auditb
-rw-rw---- 1 root system 0 Dec 16 14:28 bin1
-rw-rw---- 1 root system 0 Dec 16 14:23 bin1.save
-rw-rw---- 1 root system 5960 Dec 16 14:28 bin2
-rw-rw---- 1 root system 0 Dec 16 14:23 bin2.save
-r--r----- 1 root system 7951 Dec 16 14:28 trail
-rw-r----- 1 root system 2133034 Dec 16 14:23 trail.save

8) Confirm that the audit subsystem started

# /usr/sbin/audit query | grep audit
Expected:
auditing on
audit bin manager is process <PID>
audit events:
<...>
audit objects:
<...>

** To check the status after a reboot:

9) Restart the system

# shutdown -Fr

Expected:

SHUTDOWN PROGRAM
Tue Apr 7 11:04:27 CEST 2020
auditing reset
0513-044 The sshd Subsystem was requested to stop.

Wait for 'Rebooting...' before stopping.
Error reporting has stopped.
Advanced Accounting has stopped...
Process accounting has stopped.
nfs_clean: Stopping NFS/NIS Daemons
....

10) Check the audit subsystem

# /usr/sbin/audit query | grep audit

Expected:

auditing on
audit bin manager is process <PID>
audit events:
<...>
audit objects:
<...>

# ls -l /audit

Expected:
total <...>
-rw------- 1 root system 0 Dec 16 11:06 auditb
-rw-rw---- 1 root system 0 Dec 16 11:06 bin1
-rw-rw---- 1 root system 0 Dec 16 11:02 bin1.sav
-rw-rw---- 1 root system 6885 Dec 16 11:11 bin2
-rw-rw---- 1 root system 0 Dec 16 11:02 bin2.sav
-rw------- 1 root system 13209614 Dec 16 11:06 trail

SUPPORT
Security configuration involves comprehensive features. Most of these features require advanced review and planning by administrators who are familiar with all of their system requirements. AIX Support does not make specific recommendations to harden your system. Customization is out of the scope of AIX Support, but if you have specific questions about documented usage, our support experts are happy to assist. See How technical questions (Q&A) are handled by IBM Support: https://www.ibm.com/support/pages/node/796206 You can learn more about the audit functionality on AIX and best practices through the following resources: IBM Documentation Audit section: https://www.ibm.com/docs/en/aix/7.2?topic=system-auditing-overview AIX Redbooks, "Auditing and Accounting" http://www.redbooks.ibm.com/redbooks/pdfs/sg246396.pdf And the following Technotes: The Audit Subsystem in AIX: https://www.ibm.com/support/pages/node/720377 AIX Auditing Best Practices https://www.ibm.com/support/pages/node/629163 If you have specific questions about usage after reviewing the recommended documentation, IBM AIX Support will be happy to assist. If you require consulting services, there are more fee-based services available. Read more about IBM Technology Services (Formerly Systems Lab Services) https://www.ibm.com/services/infrastructure - See more details about AIX, Linux, and Red Hat OpenShift Security Services https://www.ibm.com/support/pages/node/6584155 If you require usage assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract. 1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue. 2. Capture any logs or data relevant to the situation. 3. Contact IBM to open a case: -For electronic support, see the IBM Support Community: https://www.ibm.com/mysupport -If you require telephone support, see the web page: https://www.ibm.com/planetwide/ 4. Provide a clear, concise description of the issue. - For guidance, see: Working with IBM AIX Support: Describing the problem 5. If the system is accessible, collect a system snap, and upload all of the details and data for your case. - For guidance, see: Working with IBM AIX Support: Collecting snap data

SUPPORT

Security configuration involves comprehensive features. Most of these features require advanced review and planning by administrators who are familiar with all of their system requirements. AIX Support does not make specific recommendations to harden your system. Customization is out of the scope of AIX Support, but if you have specific questions about documented usage, our support experts are happy to assist.

See How technical questions (Q&A) are handled by IBM Support:
- https://www.ibm.com/support/pages/node/796206

You can learn more about the audit functionality on AIX and best practices through the following resources:

IBM Documentation Audit section:
https://www.ibm.com/docs/en/aix/7.2?topic=system-auditing-overview

AIX Redbooks, "Auditing and Accounting"
http://www.redbooks.ibm.com/redbooks/pdfs/sg246396.pdf

And the following Technotes:

The Audit Subsystem in AIX:
https://www.ibm.com/support/pages/node/720377

AIX Auditing Best Practices
https://www.ibm.com/support/pages/node/629163

If you have specific questions about usage after reviewing the recommended documentation, IBM AIX Support will be happy to assist.

If you require consulting services, there are more fee-based services available.

Read more about IBM Technology Services (Formerly Systems Lab Services)

https://www.ibm.com/services/infrastructure

- See more details about AIX, Linux, and Red Hat OpenShift Security Services https://www.ibm.com/support/pages/node/6584155

If you require usage assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.

1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue.

2. Capture any logs or data relevant to the situation.

3. Contact IBM to open a case:

   -For electronic support, see the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, see the web page:
      https://www.ibm.com/planetwide/

4. Provide a clear, concise description of the issue.

- For guidance, see: Working with IBM AIX Support: Describing the problem

5. If the system is accessible, collect a system snap, and upload all of the details and data for your case.

- For guidance, see: Working with IBM AIX Support: Collecting snap data

Related Information

IBM Support Community

Learn more about "Getting IBM Support" here

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cw2BAAQ","label":"Security-\u003EAudit"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions"}]

Tips

AIX AUDIT: Resolving auditbin failed backend command bin file errors

Question & Answer

Question

Cause

Answer

Related Information

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?