dsalas4ac Absent Member.
Absent Member.
1166 views

Filesystem /opt gets full with file transfers


Hello! We have a particular situation with AIX servers having PAM 3.0.1
agents. These servers have only one policy to capture all sessions with
no exceptions.

When a user transfer big files/folders from one server to another, the
agent in the destination server creates some MSQ.tmp/MSQ/MSQ.lck files
in /opt/netiq/npum/service/local/strfwd folder with a size similar to
total transfer. As /opt filesystem is limited (1GB free in some cases),
when we try to transfer files above the available space, the transfer
crashes (lost connection) and fill the /opt filesystem. After some time
(around 30 min) the space decreases. But some times they get stuck
there. That makes not possible to transfer files bigger than available
space in /opt.

Below is an example of the temp files created by the agent:

--rw-r----- 1 root sys 875 Dec 15 2015 module.xml
drwxr-x--- 2 root sys 256 Dec 15 2015 lib
-rw-r--r-- 1 root system 0 Dec 20 10:09 strfwd.db
-rw-r----- 1 root system 122880 Dec 20 10:09 strfwd.ldb
-rw-r----- 1 root system 0 Dec 20 10:15
audit_ns7WiHB7dyKUpTaV8TJl-yaNcDE.MSQ.lck
-rw-r----- 1 root system 0 Dec 20 10:15
audit_1gwTQJHI9oNArejuu80is1f3Kns.MSQ.lck
-rw-r----- 1 root system 227122945 Dec 20 10:16
audit_1gwTQJHI9oNArejuu80is1f3Kns.MSQ
-rw-r----- 1 root system 0 Dec 20 10:16
audit_ns7WiHB7dyKUpTaV8TJl-yaNcDE.MSQ.tmp
-rw-r----- 1 root system 271188553 Dec 20 10:17
audit_1gwTQJHI9oNArejuu80is1f3Kns.MSQ.tmp-


I already reviewed the log searching for errors/warnings but it´s clean.
Also deleted the database files in the agent in case it was corrupted.
Looks like this is the way the agent works.

Is there a way to avoid this situation? We are interested in record the
action of scp/rcp usage but not to capture the files transferred.

Thanks in advance!


--
dsalas4ac
------------------------------------------------------------------------
dsalas4ac's Profile: https://forums.netiq.com/member.php?userid=13040
View this thread: https://forums.netiq.com/showthread.php?t=57089

0 Likes
4 Replies
sharfuddin2 Absent Member.
Absent Member.

Re: Filesystem /opt gets full with file transfers


I would highly recommend you to open a support ticket and update us too.


--
sharfuddin
------------------------------------------------------------------------
sharfuddin's Profile: https://forums.netiq.com/member.php?userid=1016
View this thread: https://forums.netiq.com/showthread.php?t=57089

0 Likes
Highlighted
dsalas4ac Absent Member.
Absent Member.

Re: Filesystem /opt gets full with file transfers


I will do that, thanks!


--
dsalas4ac
------------------------------------------------------------------------
dsalas4ac's Profile: https://forums.netiq.com/member.php?userid=13040
View this thread: https://forums.netiq.com/showthread.php?t=57089

0 Likes
dsalas4ac Absent Member.
Absent Member.

Re: Filesystem /opt gets full with file transfers

I contacted to support and they told us this was caused because transfer protocols (scp, rcp) are not intended to be monitored through pcksh.

They suggested to create a policy with the command "cpcksh -c scp*" and disable session capture (according to them, the command rcp is not supported and has to be avoided) to make an exception for recording that command. With the proper hierarchy of rules, this solution fixed the problem.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Filesystem /opt gets full with file transfers

Thanks for the follow-up 🙂
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.