Hello! We have a particular situation with AIX servers having PAM 3.0.1 agents. These servers have only one policy to capture all sessions with no exceptions.
When a user transfer big files/folders from one server to another, the agent in the destination server creates some MSQ.tmp/MSQ/MSQ.lck files in /opt/netiq/npum/service/local/strfwd folder with a size similar to total transfer. As /opt filesystem is limited (1GB free in some cases), when we try to transfer files above the available space, the transfer crashes (lost connection) and fill the /opt filesystem. After some time (around 30 min) the space decreases. But some times they get stuck there. That makes not possible to transfer files bigger than available space in /opt.
Below is an example of the temp files created by the agent:
--rw-r----- 1 root sys 875 Dec 15 2015 module.xml drwxr-x--- 2 root sys 256 Dec 15 2015 lib -rw-r--r-- 1 root system 0 Dec 20 10:09 strfwd.db -rw-r----- 1 root system 122880 Dec 20 10:09 strfwd.ldb -rw-r----- 1 root system 0 Dec 20 10:15 audit_ns7WiHB7dyKUpTaV8TJl-yaNcDE.MSQ.lck -rw-r----- 1 root system 0 Dec 20 10:15 audit_1gwTQJHI9oNArejuu80is1f3Kns.MSQ.lck -rw-r----- 1 root system 227122945 Dec 20 10:16 audit_1gwTQJHI9oNArejuu80is1f3Kns.MSQ -rw-r----- 1 root system 0 Dec 20 10:16 audit_ns7WiHB7dyKUpTaV8TJl-yaNcDE.MSQ.tmp -rw-r----- 1 root system 271188553 Dec 20 10:17 audit_1gwTQJHI9oNArejuu80is1f3Kns.MSQ.tmp-
I already reviewed the log searching for errors/warnings but it´s clean. Also deleted the database files in the agent in case it was corrupted. Looks like this is the way the agent works.
Is there a way to avoid this situation? We are interested in record the action of scp/rcp usage but not to capture the files transferred.
I contacted to support and they told us this was caused because transfer protocols (scp, rcp) are not intended to be monitored through pcksh.
They suggested to create a policy with the command "cpcksh -c scp*" and disable session capture (according to them, the command rcp is not supported and has to be avoided) to make an exception for recording that command. With the proper hierarchy of rules, this solution fixed the problem.