Hello! We have a particular situation with AIX servers having PAM 3.0.1
agents. These servers have only one policy to capture all sessions with
no exceptions.

When a user transfer big files/folders from one server to another, the
agent in the destination server creates some MSQ.tmp/MSQ/MSQ.lck files
in /opt/netiq/npum/service/local/strfwd folder with a size similar to
total transfer. As /opt filesystem is limited (1GB free in some cases),
when we try to transfer files above the available space, the transfer
crashes (lost connection) and fill the /opt filesystem. After some time
(around 30 min) the space decreases. But some times they get stuck
there. That makes not possible to transfer files bigger than available
space in /opt.

Below is an example of the temp files created by the agent:

--rw-r----- 1 root sys 875 Dec 15 2015 module.xml
drwxr-x--- 2 root sys 256 Dec 15 2015 lib
-rw-r--r-- 1 root system 0 Dec 20 10:09 strfwd.db
-rw-r----- 1 root system 122880 Dec 20 10:09 strfwd.ldb
-rw-r----- 1 root system 0 Dec 20 10:15
audit_ns7WiHB7dyKUpTaV8TJl-yaNcDE.MSQ.lck
-rw-r----- 1 root system 0 Dec 20 10:15
audit_1gwTQJHI9oNArejuu80is1f3Kns.MSQ.lck
-rw-r----- 1 root system 227122945 Dec 20 10:16
audit_1gwTQJHI9oNArejuu80is1f3Kns.MSQ
-rw-r----- 1 root system 0 Dec 20 10:16
audit_ns7WiHB7dyKUpTaV8TJl-yaNcDE.MSQ.tmp
-rw-r----- 1 root system 271188553 Dec 20 10:17
audit_1gwTQJHI9oNArejuu80is1f3Kns.MSQ.tmp-


I already reviewed the log searching for errors/warnings but its clean.
Also deleted the database files in the agent in case it was corrupted.
Looks like this is the way the agent works.

Is there a way to avoid this situation? We are interested in record the
action of scp/rcp usage but not to capture the files transferred.

Thanks in advance!


--
dsalas4ac
------------------------------------------------------------------------
dsalas4ac's Profile: https://forums.netiq.com/member.php?userid=13040
View this thread: https://forums.netiq.com/showthread.php?t=57089