Applies to: All versions of Centrify DirectAudit on HPUX platforms.
Question:
It's observed that audited data from one HPUX system is not showing up in Centrify DirectAudit Manager. The Centrify command dainfo --diag (as root) on the audited HPUX system shows that data is being spooled to the Collector correctly. The SQL configuration is also correct. The command dacontrol was run many times to disable and enable audit on the HPUX system. Centrify DirectAudit was restarted on the HPUX system too. Any reason?
Answer:
This can happen under very rare circumstances and the best way to troubleshoot this issue is to enable the Centrify DirectAudit debug. If the following line is observed, then utmp may be corrupt. When this occurs, direct terminal logins are disabled with a "No utmp entries" in syslog. You must exec 'login' rom the lowest level 'sh'.
May 10 16:04:05 dbdev1 cda.dash[17566]: DEBUG: Runlevel -1 is unacceptable, dropping out.
To confirm if utmp is corrupted, one of the commands to run is #who -r (check run level). If it returns nothing, then its corrupt. The best way to fix a utmp corruption issue is to schedule a reboot. After this, auditing should work fine and out-of-the-box.
Note: utmp, wtmp, btmp and variants such as utmpx, wtmpx and btmpx are files on Unix-like systems that keeps track of all logins and logouts to the system.
The utmp file keeps track of the current login state of each user.
The wtmp file records all logins and logouts.
The btmp file records failed login attempts.
Different commands allow to consult the information stored in those files, including who (which show current system users), last (which show last logged in users) and lastb (which show last failed login attempts).
For HPUX those files may commonly be found in different places:
/etc/utmp (deprecated), /etc/utmpx
/var/adm/wtmp (deprecated), /var/adm/wtmpx
/var/adm/btmp (deprecated), /var/adm/btmpx