Skip to main content

By clicking Submit, you agree to the developerWorks terms of use.

The first time you sign into developerWorks, a profile is created for you. Select information in your profile (name, country/region, and company) is displayed to the public and will accompany any content you post. You may update your IBM account at any time.

All information submitted is secure.

  • Close [x]

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

By clicking Submit, you agree to the developerWorks terms of use.

All information submitted is secure.

  • Close [x]

Use auditing to track reads and writes in a file

Ashish Nainwal (nainwal@in.ibm.com), System Administrator, IBM
Ashish Nainwal is an AIX security support specialist and system administrator at IBM India Systems and Technology Lab. He has been one of the focal points in AIX security in his two years with AIX. Ashish has also been involved in various System p™ administration activities and has diverse experience with customers. You can contact him at anainwal@in.ibm.com.

Summary:  In this article, discover how to track several events on AIX(R) with auditing, a major feature of AIX security, and learn how to use auditing to keep track of the read and write operations on a file. Also examine commands, such as ls or istat, to check a file's time stamp.

Date:  07 Aug 2007
Level:  Intermediate
Also available in:   Chinese  Russian

Activity:  21010 views
Comments:  

Introduction

Develop skills on this topic

This content is part of a progressive knowledge path for advancing your skills. See AIX security: Learn the basics

AIX® provides easy ways to track the last time a file was accessed. The ls command is one example. But sometimes you want to know who, or which process, accessed the file. You might need such information for debugging or keeping track of important files. You can track information related to read and write operations on a file with the help of auditing.

In AIX, auditing systems are intended to record security-related information and to alert administrators about security breaches. You can customize the configuration and objects files, which are used by the auditing subsystem to keep track of any file you want. You can also use the real-time monitoring feature of auditing to keep track of some processes and files that are being modified randomly by unidentified processes.

Tracking

There are no special requirements to track files; all you need is a normal AIX system with root access. The audit command grants execute access to the root user and members of the audit group. A non-root user should be part of an audit group to execute auditing on a system.

The high-level steps for tracking files are:

  1. Configuring the audit subsystem
  2. Monitoring output

Configuring the audit subsystem

Configuring the audit subsystem requires making specific entries in the objects and configuration files that the audit subsystem uses to generate the results.

In this scenario, you're tracking the /home/test.txt file. To configure the audit subsystem, try the following:

  1. In the /etc/security/audit/objects file, make an entry for /home/test.txt. Use the following format:

    /home/test.txt:
    	r = "S_NOTAUTH_READ"
    	w = "S_NOTAUTH_WRITE"
    	

    S_NOTAUTH_READ and S_NOTAUTH_WRITE are keywords to track the read and the write, respectively. These keywords can be replaced by any keyword, depending on your requirements.

    You can also track more than one file using the same keyword by making individual entries for each file to be tracked in the /etc/security/audit/objects file, in the same format.

  2. In the /etc/security/audit/config file, make the following entry under the classes subsection, as follows:

    classes:
    	abusers = S_NOTAUTH_READ, S_NOTAUTH_WRITE
    	

  3. In the /etc/security/audit/config file, add entries for all your users, as follows:

    users:
    	root = general, abusers
    	user1=abusers
    	user2=abusers
    	.
    	.
    	.
    	userN=abusers
    	
    	

    This set of entries ensures that any read or write operation being done on the /home/test.txt file by any of the users in this list is reported by audit. If an entry for a user already exists, you can append the entry for abusers by separating it from the previous one using a comma.

  4. Auditing provides data monitoring in two modes:
    • BIN mode: Records the audit events to two alternating temporary BIN files, and then appends them to a single audit trail file.
    • STREAM mode: Writes the audit records to a circular buffer that can be read by the /dev/audit device file.

    In this scenario, there is no major difference between the two except the format of the output provided. You can switch on any or both modes to collect the data. They can be switched on or off by making an appropriate entry in the etc/security/audit/config file. The example below switches on STREAM mode.

    start:
            bin mode = off
            stream mode = on	
    	

The above steps ensure that the /home/test.txt file is under the auditing subsystem's observation.

Monitoring output

To monitor the output, first start the auditing subsystem using the following command:

# audit start

Data collection in STREAM mode

Because the data collection is enabled in STREAM mode, you can start data collection by running the following command:

# cat /etc/security/audit/streamcmds

This command provides the following information:

/usr/sbin/auditstream | auditpr > /audit/stream.out &

The auditing results are written in the /audit/stream.out file, which can be monitored in real time to keep track of the read and write operations.

A typical output would look like Listing 1 below.


Listing 1. Output file—Data collection in STREAM mode

# tail -f /audit/stream.out

event           	login    status       time                         command
--------------- 	-------- -------- 	   --------- 	            ---------
S_NOTAUTH_READ  	root     OK          Thu May 24 14:07:05 2007 	cat
S_NOTAUTH_READ  	root     OK          Thu May 24 14:07:05 2007 	cat
FILE_Unlink    	root     OK          Thu May 24 14:07:09 2007		vi
S_NOTAUTH_READ  	root     OK          Thu May 24 14:07:09 2007 	vi
S_NOTAUTH_READ  	root     OK          Thu May 24 14:07:09 2007 	vi
S_NOTAUTH_READ  	root     OK          Thu May 24 14:07:09 2007 	vi
S_NOTAUTH_WRITE 	root     OK          Thu May 24 14:07:13 2007 	vi
FILE_Unlink     	root     OK          Thu May 24 14:07:13 2007 	vi
FILE_Unlink    	root     OK          Thu May 24 14:07:20 2007 	vi
S_NOTAUTH_READ  	ash      OK          Thu May 24 14:09:39 2007 	cat
S_NOTAUTH_READ  	ash      OK          Thu May 24 14:09:39 2007 	cat

The interpretation of the output file is simple. For example, the following line:

S_NOTAUTH_WRITE 	root     OK          Thu May 24 14:07:13 2007 	vi

shows that a write operation was performed by root on the file on Thursday, May 24th, at 14:07:13.

Data collection in BIN mode

If data collection in BIN mode is enabled, you can start the data collection by executing the following command:

# /usr/sbin/auditpr -v < /audit/trail > /audit.out

This command writes the results of auditing to the /audit.out file, which can be monitored in real time as well.

A typical output would look like Listing 2 below.


Listing 2. Output file—Data collection in BIN mode

# vi /audit.out
"/audit.out" 30 lines, 2012 characters
event           login    status        time                        command
--------       -------- -----------   -------------              --------------
S_NOTAUTH_READ   root      OK          Thu May 24 15:07:27 2007   cat
        <tail format undefined>
S_NOTAUTH_READ   root      OK          Thu May 24 15:07:27 2007   cat
        <tail format undefined>
FILE_Unlink      root      OK          Thu May 24 15:07:32 2007    vi
        filename /var/tmp/Ex21778
S_NOTAUTH_READ  root      OK          Thu May 24 15:07:32 2007	    vi
        <tail format undefined>
S_NOTAUTH_READ   root     OK          Thu May 24 15:07:32 2007	    vi
        <tail format undefined>
S_NOTAUTH_READ  root     OK           Thu May 24 15:07:32 2007     vi
        <tail format undefined>
S_NOTAUTH_WRITE root     OK           Thu May 24 15:07:37 2007     vi
        <ail format undefined>
FILE_Unlink     root     OK           Thu May 24 15:07:37 2007	    vi

You can monitor the output files to keep track of the read and write operations on your files.


Resources

Learn

Get products and technologies

  • IBM trial software: Build your next development project with software for download directly from developerWorks.

Discuss

About the author

Ashish Nainwal is an AIX security support specialist and system administrator at IBM India Systems and Technology Lab. He has been one of the focal points in AIX security in his two years with AIX. Ashish has also been involved in various System p™ administration activities and has diverse experience with customers. You can contact him at anainwal@in.ibm.com.

Report abuse help

Report abuse

Thank you. This entry has been flagged for moderator attention.


Report abuse help

Report abuse

Report abuse submission failed. Please try again later.


developerWorks: Sign in


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Select information in your profile (name, country/region, and company) is displayed to the public and will accompany any content you post. You may update your IBM account at any time.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


Rate this article

Comments

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX
ArticleID=245713
ArticleTitle=Use auditing to track reads and writes in a file
publish-date=08072007