The audit subsystem in AIX helps to record security-related information and alert administrators about potential or actual violations of the system security policy. For example, an administrator can detect who has modified the security-sensitive files on the system; learn about the unsuccessful login or su attempts (it might be someone trying to get unauthorized root privileges).
An administrator must consider protecting the stored data (auditing-related) from intruders, or the system might be hacked, possibly without leaving a trace about what happened. Auditing is a measure for an administrator to take in conjunction with other methods to protect systems from intruders and to trace any intrusion.
The audit subsystem performs the following functions:
- Detecting events
- Collecting event information
- Processing information
Enabling auditing on AIX
The following files on an AIX system are used to enable auditing.
- /etc/security/audit/config - It is used to specify the events and users who are to be processed by the audit subsystem
- /etc/security/audit/objects - It contains the information about audited objects or files. Administrator needs to define the files that need to be audited.
- /etc/security/audit/events - It contains the system activities (events) that can be audited.
Scope and assumptions
This feature is available from AIX 6.1 Tl09 and AIX 7.1 Tl03 release onwards. Users must have the knowledge on AIX auditing and LDAP authentication mechanism. This article covers only how to enable AIX audit configuration files on an LDAP server. This feature is currently available only with IBM Tivoli® Directory Server.
Audit configuration on LDAP
This feature provides a facility to configure or store the audit configuration files on the LDAP server. These configuration files can be downloaded to the LDAP client systems and enable auditing on the client system.
A new command,
auditldap, has been introduced to convert the /etc/security/audit/config file to the LDAP Data Interchange Format (LDIF) format and upload to the LDAP server. The
auditldap command uses the bind user's distinguished name (dn) and the bind user's password to connect with the LDAP server and upload the configuration file. Only the root user is allowed to run the
Steps to enable AIX audit configuration on LDAP
- The assumption is that you are already aware of configuring the LDAP server and client. If not, you can refer to LDAP Server and client configuration using mksecldap command.
By default, when an LDAP server is configured on AIX 6.1 Tl09 or later releases, the schema for audit gets loaded to the LDAP server. If the server is configured in the previous technological levels, you need to load the audit schema (refer to the Download section) to the LDAP server using the
Example: ldapadd -h pci2.in.ibm.com -D cn=admin -w adminpwd -i audit.ldif
After loading, verify whether the audit schema is successfully stored on the LDAP server.
Example: ldapsearch -h pci2.in.ibm.com -D cn=admin -w adminpwd -s base -b cn=schema objectclass=* | grep -i ibm-aixAuditConfig
- Run the
auditldapcommand on the LDAP client systems to upload the /etc/security/audit/config file to the LDAP server.
auditldap -a -b cn=aixdata -D cn=admin -w adminpwd
After loading to the LDAP server, if there are any changes to the configuration file, it can be updated to the LDAP server using the
auditldapcommand with the
auditldap -u -b o=ibm -D cn=admin -w adminpwd -f /etc/security/audit/config
- After loading the audit configuration files, either reconfigure the LDAP client with the
mksecldapcommand or manually add the
auditclassdnbasedns entries to the /etc/security/ldap/ldap.cfg file and restart the LDAP client daemon.
mksecldap -c -h <ldap servername> -a <bind dn> -p <bidnpwd> -S <schema> or #Base Dn where audit config data are stored on LDAP server. auditconfdn:ou=auditconfig,ou=audit,cn=aixdata auditclassdn:ou=auditclassstanza,ou=audit,cn=aixdata
- Use the following command to restart the LDAP client daemon.
- Use the
lsldapcommand to verify the audit classes and configuration file information on the LDAP server. The following command displays the audit classes’ information that is stored on the LDAP server.
#lsldap -a auditclass
The following command lists the audit configuration information that is stored on the LDAP server.Note: Currently, the
#lsldap -a auditconfig
auditldapcommand allows you to load only one configuration file on the LDAP server. The default configuration file name is config.
Loading audit configuration files on the LDAP client
A new stanza has been introduced in the /etc/nscontrol.conf file to process the audit configuration file either from the LDAP or Files load module while enabling auditing. Set the
secorder attribute value to
LDAP under the
auditconfig stanza in the /etc/nscontrol.conf file in order to download the configuration file from the LDAP server to the LDAP client. The
audit start command refers the /etc/nscontrol.conf file and loads the configuration file based on the
Example: # tail -f /etc/nscontrol.conf auditconfig: secorder = LDAP,files
After defining the
secorder value, run the
audit start command to start the auditing on the LDAP client systems.
Table 1. Precedence order based on secorder
|Secorder value||audit start||Remarks|
|files||Collects the information from the /etc/security/audit/config file on that system.||N/A|
|LDAP||Collects the information from the LDAP server's ||Note: All configuration information is downloaded from LDAP to the LDAP client except |
|LDAP, files||First collects all the information from the LDAP server's ||Note: If the audit classes with the same name say "general", are defined on LDAP and files, then the |
|files, LDAP||First collects all the information from the /etc/security/audit/config file. Only those classes are not defined in the files are taken from the LDAP server.||It loads only the first 32 classes to the kernel.|
Currently, any change to the /etc/security/audit config file requires the audit daemon to be restarted for the new changes to get effective. With this feature, it allows you to store the /etc/security/audit/config file on the LDAP server. For any changes on the LDAP server to be effective on the LDAP client, you need to restart the audit daemon. It becomes a burden for you to restart the audit demon on every LDAP client for any new change to become effective. The following attributes are introduced in the /etc/security/ldap/ldap.cfg file to resolve this.
This attribute defines the action that needs to be taken when there is any change in the audit configuration on the LDAP server. This attribute is effective only when the auditinterval attribute is set. The
auditpolicy attribute takes two values,
WARN attribute represents that whenever there is a change in the audit configuration on the LDAP server, it logs a message in the syslog file. This helps the administrator to restart the auditing on the LDAP client.
RESTART attribute automatically restarts the auditing by restarting audit daemon on LDAP client, whenever there is a change in the audit configuration on the LDAP.
This attribute defines the interval of time that the LDAP client should check for audit configuration changes on the LDAP server. The
auditrefresh attribute accepts the value in seconds and '0' means that it is disabled.
audirefresh attribute is set, it is time for the
secldapclntd daemon to take action as per
auditpolicy. That is, whenever an audit configuration changes on the LDAP server on the basis of the
auditpolicy attribute, it restarts the audit or just logs the message in syslog. Time can be represented in seconds or in the 24 hour format. However, if time is in the 24 hour format, then it should start with 'T'.
Note: You need to enable the
auditpolicy attribute on the LDAP client. By default, it will be disabled.
- See an overview of AIX Audit subsystem.
- Find more details about the auditldap command.
- Stay current with developerWorks technical events and webcasts focused on a variety of IBM products and IT industry topics.
- Attend a free developerWorks Live! briefing to get up-to-speed quickly on IBM products and tools as well as IT industry trends.
- Follow developerWorks on Twitter.
- Watch developerWorks on-demand demos ranging from product installation and setup demos for beginners, to advanced functionality for experienced developers.
- Get involved in the My developerWorks community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.
|Audit schema file||audit.zip||1 KB|